Diary of a kind-hearted hacker: Part 3

Facebook cares more about its users count than their security

DISCLAIMER: This article translated from a private blog of Chinese hacker community. The author of the translation does not take any responsibility about the content of the original article.

Although Facebook’s statistics at tops is not as impressive as it used to for many years, it’s still the 6th biggest company in the World. Thus, there should be no doubts about its security… most likely.

The 100 largest companies in the world by market capitalization in 2021 [statista.com]

8th of October, I bought a new mobile phone with random number. From that very day, I started getting SMS messages from Facebook, usual stuff like:

• Annabelle, you have 5 friend requests and 1 group update on Facebook,
• Annabelle, John Doe posted an update,
• Jane Doe is a new Facebook friend suggestion…

The case was obvious. Annabelle hasn’t been using her number for a while, and it burnt. However, Facebook SMS notifications, which she turned on, are still active. And, don’t get me wrong, I just wanted to stop receiving them, as they got more and more annoying.

Facebook Notification Spam Has Crossed the Line [wired.com]

The idea of resetting the password came to my mind at the office (yes, I own a few of them), during testing of the two-factor authentication of some application. But I didn’t expect I can do it without an email or username, so it was like clockwork. Log-in was also trivial, and, finally, I saw the wall of Annabelle. I decided to exit and continue the process with some public network to not soil my IP.

When the second time I logged in, I saw a recovery screen with one only available option for recovering the stolen account. Checkmate, me! It was “Trusted Contacts”.

Facebook “Trusted Contacts” recover page

Most likely, Facebook noticed strange activity and put the profile into the recovery mode. In this time, neither password resetting, nor IP changing help. The good thing was, that the notifications stop. Therefore, I gave up and forgot about this.

Censorship For Profit — A Look At Facebook’s Greedy Pay To Play Model! [medium.com]

This story would over, if there’s no Facebook’s greed. After a week, I started receiving SMS messages again. It obviously meant, that the account was unlocked. First I thought, it was unlocked by Annabelle. But, after I could successfully log in with my own password, I was the only possessor of this account. Can you imagine, for what purposes I could use it? But I didn’t. I just turned notifications off and left the account.