Skip to Content

How to Rob Microsoft, Google, and Instagram With Just a Phone Call

Close up of angry businessman in disbelief on the telephoneClose up of angry businessman in disbelief on the telephone

You don’t think of tech giants as likely victims of a phone scam. But a researcher found a simple yet ingenious way to trick three companies—Microsoft, Google, and Facebook’s Instagram—into forking over money using nothing more than the telephone.

The trick took advantage of a feature the companies use to verify a user’s identity. Normally, the verification process relies on the user entering a code sent by text message. But if the user doesn’t respond to the text message, the companies will follow up with a phone call.

As the researcher, Arne Swinnen, showed in a blog post, Instagram will place a call from a 650 area code in California:

screenshot
Arne Swinnen

The problem is that Instagram and the two other companies were not discerning about which numbers they called. They would, as Swinnen discovered, even place calls to premium numbers (such as the ones used by psychics or phone-sex workers) that charge several dollars a minute to connect. To prove the exploit worked, he collected a symbolic one U.K. pound from Instagram.

In the case of Microsoft, Swinnen found the company would answer multiple concurrent calls placed by an auto-dialing system, meaning “an attacker could thus steal an enormous amount of money in very little time.”

Get Data Sheet, Fortune’s technology newsletter.

The good news for the three companies is that Swinnen is not a professional criminal, but instead seeks to make money from so-called “bug bounty” programs. These programs typically pay rewards to people who tip them off about vulnerabilities in their software.

Although the companies told Swinnen they did not consider his discovery as a vulnerability to their own platforms, two of them eventually decided to pay him a reward all the same. Facebook (FB) paid him $2,000 and Microsoft (MSFT) doled out $500, while Google (GOOGL) said it would give him a symbolic reward by naming him to its Hall of Fame. All the companies have since taken action to prevent someone else from exploiting the vulnerability.

In a Twitter (TWTR) exchange, Swinnen told me the phone hack he exposed was only a theoretical vulnerability, and that he is not aware of real world criminals exploiting it. But he added that there is a long history of scams involving premium phone numbers.

For those concerned about security, the episode illustrates yet again the virtue of bug bounty programs. The programs have been used for years by companies like Google and Facebook and, more recently, have been embraced by everyone from Chrysler (FCAU) to the Pentagon.