Accidental Airbnb Account Takeover Linked To Recycled Phone Numbers

It’s a flaw that can result in account takeover, credit card theft and privacy leaks, and yet it has gone unaddressed for years on certain websites and online apps.

The scenario works like this: A mobile device owner attempts to register an account on a website or web app, using a phone number that was recently assigned to him by a telecom carrier. But that phone number previously belonged to a different phone owner who at one time also signed up for the same web service. Instead of creating a new account, the new device owner instead is logged into the account of the phone number’s original owner.

“It’s probably one of the oldest vulnerabilities with regards to mobile phone numbers… and identity,” said Marc Rogers, executive director of cybersecurity at Okta.

It’s almost as if the new device owner has pulled off a SIM swap scam – only there was no intent of deception. Nobody tricked the wireless carrier into reassigning a victim’s phone number to another device. It just happened by chance.

Still, a less ethical person might take advantage of the situation by perusing the stranger’s online account for their payment card information or personal details. This is what compelled one concerned citizen to contact SC Media last week after her husband encountered this very flaw while registering an account with online vacation rental marketplace Airbnb.

“When we went to the Airbnb site to sign up, the site gave us a few options to register as a new user. The first option on the list is by phone number,” the tipster, who wishes to remain anonymous, reported. “So we went ahead and typed in my husband’s phone number – which he obtained last May, not too long ago.”

Her husband then was sent a four-digit verification code to enter the site, and “boom! We were logged in to another user’s account,” she said.

That account belongs to a stranger whose valid credit card information, email address, phone number and other personal details were all accessible to the tipster and her husband – apparently all because the stranger had previously owned the husband’s phone number.

When SC Media contacted Airbnb last Friday regarding the complaint, a spokesperson said the company would address the issue and on Tuesday followed up with a statement: “We’ve developed a resolution for the reported issue involving recycled phone numbers and new account sign ups, which fortunately only affected a very small number of our users. We are constantly evaluating and improving our protections and are committed to strengthening the security controls of our platform.”

But the tipster disagreed and said the problem was not resolved. She said she determined this not by logging into the stranger’s account again, but by attempting to sign up for a new Airbnb account using her own phone number (not her husband’s), even though she already had an account registered with that number. Instead of creating a new account, she was logged in to her own previously existing account, she told SC Media.

Moreover, she said she never received any alerts from Airbnb notifying her of this anomalous account login activity – and therefore concluded that the stranger whose account was accidentally hijacked probably never did either. 

The tipster sent SC Media numerous screenshots of the Airbnb website as evidence of this accidental account takeover as well as images of her chat activity with Airbnb online support. At one point, the support team member tells the tipster that the only way for the husband to create his own account is to register with a different phone number, apparently because his own number was still associated with the stranger’s account.

As it turns out, websites and apps have experienced this commonplace problem for years.

“Phone numbers are recycled more frequently than before, especially with the explosion of new devices that require SIM cards,” Rogers explained.

Telecom companies try to avoid problems associated with recycling disowned numbers by taking those numbers out of service for a period of time before recycling them. (The FCC requires a minimum of 90 days.) However, this is not a panacea, and so it is advisable that website and web app developers – along with web account owners – follow best practices to help alleviate the issue.

Many don’t, though. Indeed, messaging service WhatsApp has reportedly also experienced the same problem of logging individuals with recycled phone numbers into other people’s accounts.

In certain cases, website or app operators could find themselves in violation of GDPR or Payment Card Industry data security standards if users’ information were to be exposed, Rogers said.

Best practices for developers, users

For starters, web and app developers should freeze accounts after a period of inactivity. That way, entering a reused phone number months after an account goes dormant can’t just automatically revive it.

“Best practice dictates that if you have a user account go silent for more than a set amount of time – especially an account that’s associated with payment details – you should lock it,” said Rogers, “because that user has gone away.”

“At the very least, if the user appears to come back, force them to go through a re-registration process to prove that they’re same person,” Rogers continued. “But this isn’t happening in some cases, and there are quite a few high-profile applications out there that hang on to users’ information, almost indefinitely.”

In the case presented by the tipster, it’s unclear whether or not the stranger whose account was accidentally accessed is still actively using her Airbnb account, despite no longer using the phone number she originally registered it with. If she has been actively using her account, then Rogers’ suggestion for Airbnb to lock down dormant accounts wouldn’t alone have prevented the accidental account takeover.

Still, there is more even companies like Airbnb can do. Namely, they can add a second factor of authentication when registering or re-registering for an online web service. “It should ask for additional information, especially when viewing things like financial payment systems,” said Rogers. Simple proof that you physically possess the phone isn’t sufficient in the situation presented by the tipster: “Well, of course you’re in possession of the phone,” said Rogers. After all, the phone number was assigned to you.

Proactive login alerts that inform account-holders when anomalous new login activity is taking place could also prove to be a useful security measure to warn of possible account takeovers before any damage is done.

An example of a company following best practices, said Rogers, is the messaging app Signal. If Signal users swap phones or change numbers on a phone, they start with an empty message history when they reinstall the app.

There is also an onus on individual account owners to change their online account details or even deactivate their accounts if they plan to drop or switching phone numbers, said Rogers. This is also potentially an important lesson for businesses, which sometimes provision and re-provision corporate-owned mobile devices to multiple employees who may go on to use those devices to register for online accounts.

“The same problem exists with mobile phones that you buy secondhand on eBay,” said Rogers, noting that he’s “picked up secondhand phones and found sensitive user information on them, even valid session IDs from major accounts.”

Better customer service on Airbnb’s part could have also helped the tipster, who was frustrated by multiple misunderstandings while talking to a customer support agent. At one point, the representative mistakenly thought the tipster was asking if she could complete a third-party booking. Then later, the rep incorrectly addressed the tipster by the wrong name, using the name of the stranger whose account was accidentally hijacked.

While Rogers wasn’t surprised to learn of this issue, he did express puzzlement as to why developers continue to tussle with this vulnerability.

“We’ve known about this problem for at least 20 years. And there are plenty of apps out there that do design securely to make sure that their apps have privacy by design,” said Rogers. “So I would say there’s largely no excuse for the apps that don’t do this.”