The Churned Number Exploit: How to hack accounts using mobile number

Disclaimer: All the information provided on this Site is for educational and awareness purposes only. The Site Owner is no way responsible for any misuse of the information. Hacking with malicious intent or Cracking is the illegal thing we not suggest any one to do. It is illegal in cyber world & you can also get arrested. So be the White hat to provide Security & Protect or Country From Black hat Hackers.

Let’s face it, you’re here because the title caught your attention and you’re probably wondering whether or not this is one of those click bait articles that seem promising but are dud. This is not a dud. I promise.

Yesterday, I came across an old Facebook profile of mine. Until then, I had completely forgotten about it. It took me some time to figure out it’s username while it’s password was completely out of my memory. I had no option other than to reset the password using Forgotten your password feature. Here’s the step by step procedure I followed. Read it till the end it gets interesting:

• Step 1: I logged on to http://facebook.com and clicked on Forgotten your password option.

• Step 2: I entered the username for the profile:

• Step 3: Facebook recognized my account and asked me to choose a recovery option.

Unfortunately, I had access to neither as I had deleted the email ID, associated with the account, long back and the phone number was no longer with me. I was stuck. I tried creating that email ID again but the mailing service wouldn’t let me. I tried using ‘No longer have access to these?’ link but it didn’t work out either. The only option I was left with to try my luck with the phone number. Most telecom operators churn unused numbers which can then be assigned to new subscribers. Hoping for the best, I dialed it. Luckily, it was in service and the owner answered my call. I explained to him that the number he is using, belonged to me earlier, and I had associated with one of my accounts which I am trying to reset. After persuading a bit, he agreed to give me the six digit code which Facebook would generate. I pressed Continue.

• Step 4: After generating the code I called him back to get the six digit code. True to his word he gave me the code.

• Step 5: And I could finally reset my password.

What’s the catch?

Thanks to the trusting gentleman, I could recover my profile and delete it for good. However, after this got over, something struck me. This was way too easy. I just bypassed Facebook’s cutting edge security and gained access to my account without actually proving that I am who I am claiming to be. For all he knew, I could have been a blackhat trying to gain access to his account through basic social engineering. I wondered if this could somehow be turned into an exploit and how to counter it.

Here’s what I tried next. Before deleting my old profile, I updated the associated phone number to my current number and verified it. Facebook has a nice feature that if you verify a number once from a certain profile it gets removed from other profiles having that same number associated with them. So the number got disassociated from my current profile. I added it back and verified it. In the old profile, I added the number again but didn’t verify it. This time Facebook allowed me to keep the same number associated with two profiles, one verified and other not verified. I repeated the above steps again and this is what I found:

This time Facebook gave me a choice to select a profile. This is an important step, as will be seen below.

Putting it all together

Here’s a scenario. Let’s say Mr. X wants to hack your profile. All he needs is your phone number and the ability to confidently lie on phone (aka social engineering skills). Here’s how he might proceed:

1. Obtains your phone number. (Can be as simple as a basic Google search)
2. Creates a fake profile and adds your number to it, unverified
3. Follows steps 1,2 and reaches the account selection screen (Assuming you have associated that same number with your current profile).
4. Selects your account
5. Calls you and uses the above story to convince you to provide the six digit code. If for some reason, you decide to verify Mr. X’s claim. You’d follow steps 1,2 and reach the account selection screen. Seeing the two accounts listed there, one yours and one Mr. X’s fake profile (of course you wouldn’t know that it’s fake), you’ll have some assurance and may decide to ‘help’ him out.
6. Generates the code.
7. Calls you back to obtain the code (assuming that he was able to convince you).
8. You give the code to him
9. Follows steps 4 and 5 and changes your password.
10. Since Facebook would detect it as a login from an unknown location, it may temporarily lock the account, requiring a new six digit code, sent to phone, to unlock. If this happens, Mr. X would call you again and obtain the new six digit code.
11. Once in he can log you out from other devices, thus taking over your account completely.

I call this exploit, The Churned Number Exploit. What is being exploited here? The concept of churned numbers and good old human trust.

How can this be avoided?

1. If you’ve reached this far, you have already taken the most important step of fine tuning your internal alarm system by making yourself aware of the possibility of such a scam.
2. If you have not associated the phone number in question with any accounts, you have nothing to worry about.
3. Should you decide to help out a person facing this problem (there are genuine cases when people might need your help) and have also associated the same number with your account, make sure you completely verify their claim.
4. Follow steps 1,2 and when you reach the account selection screen, press ‘This is my account’ in front of the person’s account name. In the next screen if you see an option to reset password via phone, their claim is genuine. However, this will also mean that you have not yet verified the number in your account. Verify it as soon as possible to remove it from any other associated Facebook accounts.
5. Avoid helping in case you have no means to verify the claim. Facebook provides alternatives through which the said person can reset their password. Or you can ask them to call later once you have the means to verify the same.
6. To avoid putting yourself in such a situation, make sure that once you discard a number it is removed from associated accounts as well. This may include your email accounts, other social media accounts, bank accounts etc.