How Attackers can Hijack Your Facebook Account (Help Net Security)


Positive Technologies researchers have demonstrated that knowing a user’s phone number and how to exploit a vulnerability in the SS7 network is enough to hijack that user’s Facebook account.

Attackers can take advantage of the social network’s password recovery functionality to make it send a one-time password via SMS to the user.

In the meantime, they can exploit vulnerabilities in the SS7 network to acquire details about the victim’s mobile device and register him in a fake roaming network. This allows them to receive all the calls and SMSes intended for the victim, including the aforementioned SMS from Facebook.