Disclaimer: All the information provided on this Site is for educational and awareness purposes only. The Site Owner is no way responsible for any misuse of the information. Hacking with malicious intent or Cracking is the illegal thing we not suggest any one to do. It is illegal in cyber world & you can also get arrested. So be the White hat to provide Security & Protect or Country From Black hat Hackers.
Let’s face it, you’re here because the title caught your attention and you’re probably wondering whether or not this is one of those click bait articles that seem promising but are dud. This is not a dud. I promise.
Yesterday, I came across an old Facebook profile of mine. Until then, I had completely forgotten about it. It took me some time to figure out it’s username while it’s password was completely out of my memory. I had no option other than to reset the password using Forgotten your password feature. Here’s the step by step procedure I followed. Read it till the end it gets interesting:
Unfortunately, I had access to neither as I had deleted the email ID, associated with the account, long back and the phone number was no longer with me. I was stuck. I tried creating that email ID again but the mailing service wouldn’t let me. I tried using ‘No longer have access to these?’ link but it didn’t work out either. The only option I was left with to try my luck with the phone number. Most telecom operators churn unused numbers which can then be assigned to new subscribers. Hoping for the best, I dialed it. Luckily, it was in service and the owner answered my call. I explained to him that the number he is using, belonged to me earlier, and I had associated with one of my accounts which I am trying to reset. After persuading a bit, he agreed to give me the six digit code which Facebook would generate. I pressed Continue.
Thanks to the trusting gentleman, I could recover my profile and delete it for good. However, after this got over, something struck me. This was way too easy. I just bypassed Facebook’s cutting edge security and gained access to my account without actually proving that I am who I am claiming to be. For all he knew, I could have been a blackhat trying to gain access to his account through basic social engineering. I wondered if this could somehow be turned into an exploit and how to counter it.
Here’s what I tried next. Before deleting my old profile, I updated the associated phone number to my current number and verified it. Facebook has a nice feature that if you verify a number once from a certain profile it gets removed from other profiles having that same number associated with them. So the number got disassociated from my current profile. I added it back and verified it. In the old profile, I added the number again but didn’t verify it. This time Facebook allowed me to keep the same number associated with two profiles, one verified and other not verified. I repeated the above steps again and this is what I found:
This time Facebook gave me a choice to select a profile. This is an important step, as will be seen below.
Here’s a scenario. Let’s say Mr. X wants to hack your profile. All he needs is your phone number and the ability to confidently lie on phone (aka social engineering skills). Here’s how he might proceed:
I call this exploit, The Churned Number Exploit. What is being exploited here? The concept of churned numbers and good old human trust.