In a remarkable feat, a teenager from the United Kingdom exposed a security breach in Facebook, thereby exposing vulnerabilities in the platform.
James Martindale, aged 17 and hailing from Yorkshire, found that he could easily hack into other users’ accounts by exploiting flaws in Facebook’s two-factor authentication system. Two-factor authentication is an added layer of security that requires users to enter a code sent to their phone number or email address before accessing their account.
Martindale discovered that by using readily available tools on the internet, he could bypass this system and gain access to any user account. He immediately alerted Facebook’s security team about the breach and advised them on how they could rectify it. In response to his findings, Facebook acknowledged Martindale’s efforts and thanked him for bringing the issue to their attention.
How Scammers Can Get Access to Your FB
According to a report in the Independent, “there is no need of password to gain access and scammers can also lock you out of your own account”.
The discovery was made by James Martindale when he inserted a new SIM card into his phone. Martindale quickly received a message from Facebook informing him that “he had not logged into his account for a while, despite not having tied the new number to his account”, the report said.
He then searched for the number on Facebook which brought up a single account.
Martindale then attempted to log into the account by using the number as the username and typing in a random password but failed because the password he entered was wrong.
He clicked on the ‘Forgot Password’ option to recover his account but failed again.
Martindale searched for the account with the new number and found a list of account recovery options comprising an email address and six phone numbers for regaining access to the account.
“One of these options was for Facebook to text a password reset code to the very number Martindale had just tried to log in with,” the report said. After selecting the option, he received the code and successfully logged into the ‘person’s’ account.
“Facebook then gave him the option to change the password, which would have locked the real user out of their account, or to skip that stage, which means he never would have known his account had been hacked,” the report pointed out. Martindale performed the same trick with another new number and it resulted in the same.