Accidental Airbnb account takeover linked to recycled phone numbers
It’s a flaw that can result in account takeover, credit card theft and privacy leaks, and yet it has gone unaddressed for years on certain websites and online apps.
The scenario works like this: A mobile device owner attempts to register an account on a website or web app, using a phone number that was recently assigned to him by a telecom carrier. But that phone number previously belonged to a different phone owner who at one time also signed up for the same web service. Instead of creating a new account, the new device owner instead is logged into the account of the phone number’s original owner.
“It’s probably one of the oldest vulnerabilities with regards to mobile phone numbers… and identity,” said Marc Rogers, executive director of cybersecurity at Okta.
It’s almost as if the new device owner has pulled off a SIM swap scam – only there was no intent of deception. Nobody tricked the wireless carrier into reassigning a victim’s phone number to another device. It just happened by chance.