February 13, 2024 at 03:30AM
Meta has acknowledged the potential for account takeovers due to the reuse of phone numbers, particularly after being abandoned for at least 45 days. This issue implicates telecom companies’ phone number recycling practices, leading to security and privacy risks. Despite reports and attempts to address the issue, Meta has declined to include it in its bug bounty program, prompting criticism and the involvement of data protection authorities.
According to the meeting notes, the issue of phone number reuse causing account takeovers is a significant concern, particularly with telecom companies recycling abandoned numbers. This can lead to security and privacy risks, such as malicious account reset attempts and account hijacking. Despite efforts by some telecom carriers to address these vulnerabilities, the problem persists for many online services that rely on mobile phone numbers for multi-factor authentication.
Privacy consultant Alexander Hanff raised awareness about this issue, pointing out how easily various online accounts could be compromised using a newly provisioned mobile phone number. When he tried to report this as a security vulnerability to Meta’s bug bounty program, his report was rejected. Meta’s response and Hanff’s subsequent actions indicate a dispute over the responsibility for addressing this security risk and potential violations of data protection regulations.
Overall, the meeting notes highlight the ongoing challenges related to phone number reuse and account takeovers, as well as the differing perspectives on how to address these issues.