How a hacker stole money from Google, Microsoft, and Facebook

A security researcher has published details of how to abuse two-factor authentication phone calls to steal large amounts of money from tech giants Microsoft, Google, and Facebook.

Arne Swinnen.

Belgian researcher Arne Swinnen noted that Facebook-owned image sharing site Instagram, along with Google and Microsoft, did not verify the phone numbers users supplied to receive a security token for authentication.

He was able to direct all three companies' systems to call back costly premium numbers undetected, a flaw that had the potential to cost them large amounts of money.

"Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number," Swinnen said.

He reported the issue to Microsoft in February this year, and a fix was rolled out in early May. However, the fix was incomplete, further testing showed, and Microsoft had to redo it.

Swinnen earnt a US$500 (A$661) bug bounty from Microsoft for his work.

Swinnen abusing the Office 365 trial, bypassing Microsoft's attempts at blocking premium rate numbers.

Google similarly responded quickly, taking less than a month to investigate the issue.

Although Google said it has mitigations in place to detect premium rate numbers and stop the flow of money, the company told Swinnen that "because of the way the whole telco industry works, it is impossible to prevent it completely from happening".

An attacker successfully exploiting Google's call-back system could potentially earn as much as €1200 (A$1755) a day or €432,000 a year.

Swinnen said he had difficulty persuading Facebook it was facing serious fiscal risk. He reported the issue to Instagram's parent in September last year, but the social network claimed the feature was intentional.

"We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse," Swinnen reported Facebook as saying.

Swinnen said after he highlighted the potential for attackers to steal A$8400 per day through the flaw, the social network patched the vulnerability in January this year.

Swinnen earnt a US$4000 bug bounty (A$5280) from Facebook.