Belgium-based bug bounty hunter Arne Swinnen analyzed the phone verification services offered by Facebook-owned Instagram, Google and Microsoft to determine whether they can be abused. Spoiler: It can be done.
Phone Verification Techniques Can Be Exploited
Swinnen tried to see if he could force the services to use a premium account number that directly paid him when contact was made, such as when the services would send a two-factor authentication (2FA) code.
Instagram, for instance, sends a message via SMS when a user registers for the first time. If the code is not then entered, it follows up with a voice call. That voice call is what gets tagged with a premium account.
Facebook shuffled its corporate feet for a bit when this was first described, saying it wasn’t a security issue. When it stopped shuffling, the company gave Swinnen $2,000 for his revelations. Based on his findings, the parameters for calling someone back have been tightened.
SecurityWeek reported that Instagram also made changes to its rate-limiting and monitoring systems.
Google will call you for a different reason. Its 2FA system allows users to receive authentication tokens via a voice call. Like Instagram, Google gets nailed with a hefty price tag for that call.
Google’s response was muted: “It looks like we have mitigations in place, and because of how the whole telco industry works, it’s impossible to prevent it completely from happening,” Google told Swinnen. “The attempt to exfiltrate the money would be stopped after a short time though, as we have the mitigations in place to detect it, so there’s that.”
Google didn’t give Swinnen any money for reporting the bug. “Google money loss for our process is less important than users’ security,” the company told him. However, it also assured him he’ll have a place in the Google Hall of Fame.
Swinnen noticed that Microsoft allows users to opt for voice calls during the registration process for an Office 365 trial account. That number may get blocked if the 2FA verification code given by the call is not entered. However, Swinnen figured out that if the call-in number contains extra digits, it won’t get blocked by the check.
Microsoft, which told SecurityWeek that the service was operated by a third party, gave Swinnen $500 for his insights. The company addressed the issue directly by preventing users from adding extra digits to the actual phone number.
A phone line can be the conduit for an automated attack. When a company uses a telephone number for phone verification or any other purpose, it must be monitored. Each of these tech giants was forced to tweak its services because Swinnen found ways that all could be exploited for big money by inventive scammers.
If it can happen to these tech giants, it can happen to you.