The phone number of the user of domestic social networks
Dmitry Evteev , who earlier found errors in the security of the settings for the indexing of the site for ordering train tickets, not so long ago showed in his blog a feature in building password recovery systems, which, if several conditions coincide, made it possible to find out the mobile phone number of any user with accounts in two or three popular services social networks. At the moment, the vulnerability is partially fixed.
Some time ago, Vkontakte demanded on a voluntary basis (and in fact - forcibly forced ) its users to register a mobile phone number in order to be able to quickly restore access to the account in the future. In some ways, it also helped solve the problem of mass spam emails within the site.
"In Contact" promises that the phone number "is not displayed anywhere." But this is not at all the case; the victim's e-mail address is enough, and the attacker could get the first seven digits of the number.
')
If you have a Google account, then the last two digits will be available with your email address. Thus the circle is narrowed down to 100 numbers - an amount that is not so hard to sort out.
If the user is also registered on Facebook (which is a non-zero probability ) and the attacker has the email address with which the account is associated, you can set the final last four digits of the phone number.
Thus, a different approach to prompting the last digits of the mobile phone, to which you can reset the account password, could lead to the possibility of replenishing the spam database for SMS mailings or hacking in the style of the situation of Mat Honan .
Interestingly, in addition to the one indicated by Dmitry “V Kontakte”, the first seven figures were shown by the services “Classmates” and “Mail.ru”. Using the latest site, getting the data is especially simple: the email address can be set via the URL of “My World”, and in the password recovery dialog there is not even a captcha.
At the moment, thanks to the quick response of technical support for two of the three domestic social networking sites, V Kontakte shows the last two digits and the country code, and Odnoklassniki has hidden the user number altogether. Due to the third sluggishness, some users will have to unlink their phone number from their Mail.ru account or remove it from their Facebook account .
If you are interested in the security of your personal data, I would like once again to advise using a separate email box with a non-obvious name for registering on sites.
Some time ago, Vkontakte demanded on a voluntary basis (and in fact - forcibly forced ) its users to register a mobile phone number in order to be able to quickly restore access to the account in the future. In some ways, it also helped solve the problem of mass spam emails within the site.
"In Contact" promises that the phone number "is not displayed anywhere." But this is not at all the case; the victim's e-mail address is enough, and the attacker could get the first seven digits of the number.
')
If you have a Google account, then the last two digits will be available with your email address. Thus the circle is narrowed down to 100 numbers - an amount that is not so hard to sort out.
If the user is also registered on Facebook (which is a non-zero probability ) and the attacker has the email address with which the account is associated, you can set the final last four digits of the phone number.
Thus, a different approach to prompting the last digits of the mobile phone, to which you can reset the account password, could lead to the possibility of replenishing the spam database for SMS mailings or hacking in the style of the situation of Mat Honan .
Interestingly, in addition to the one indicated by Dmitry “V Kontakte”, the first seven figures were shown by the services “Classmates” and “Mail.ru”. Using the latest site, getting the data is especially simple: the email address can be set via the URL of “My World”, and in the password recovery dialog there is not even a captcha.
At the moment, thanks to the quick response of technical support for two of the three domestic social networking sites, V Kontakte shows the last two digits and the country code, and Odnoklassniki has hidden the user number altogether. Due to the third sluggishness, some users will have to unlink their phone number from their Mail.ru account or remove it from their Facebook account .
If you are interested in the security of your personal data, I would like once again to advise using a separate email box with a non-obvious name for registering on sites.
Source: https://habr.com/ru/post/183350/
All Articles