A security researcher claims to have spotted a flaw in Facebook’s account recovery feature that can let anyone easily break into your account — that too, without you ever noticing, media reported on Friday.
According to a report in the Independent, “there is no need of password to gain access and scammers can also lock you out of your own account”.
The discovery was made by 18-year-old James Martindale when he inserted a new SIM card into his phone.
Martindale quickly received a message from Facebook informing him that “he had not logged into his account for a while, despite not having tied the new number to his account”, the report said.
He then searched for the number on Facebook which brought up a single account.
Martindale then attempted to log into the account by using the number as the username and typing in a random password but failed because the password he entered was wrong.
He clicked on ‘Forgot Password’ option to recover his account but failed again.
Martindale searched for the account with the new number and found a list of account recovery options — comprising an email address and six phone numbers — for regaining access to the account.
“One of these options was for Facebook to text a password reset code to the very number Martindale had just tried to log in with,” the report said.
After selecting the option, he received the code and successfully logged into the ‘person’s’ account.
“Facebook then gave him the option to change the password, which would have locked the real user out of their account, or to skip that stage, which means he never would have known his account had been hacked,” the report pointed out.
Martindale performed the same trick with another new number and it resulted in the same.