A flaw in a new centralized system created by Meta for users to manage their Facebook and Instagram logins may have allowed malicious hackers to defeat two-factor protection for their accounts simply by knowing their phone numbers. there is.
Gtm Mänôz, a security researcher in Nepal, noticed that Meta did not set limits on attempts when users entered the two-factor code used to log into their accounts in the new Meta Accounts Center. I was. This allows users to link all metas. Accounts such as Facebook and Instagram.
Given the victim’s phone number, the attacker accesses a central account, her center, enters the victim’s phone number, links the number to her Facebook account, and then sends a two-factor SMS. Force code mercilessly. This was an important step as there was no cap on the number of attempts anyone could make.
Once the attacker got the code right, the victim’s phone number was linked to the attacker’s Facebook account. Even if the attack succeeds, Meta sends the victim a message stating that the phone number is linked to someone else’s account, thus disabling two-factor attacks.
At this point, the target doesn’t have two-factor enabled, so in theory, the attacker could try to take over the victim’s Facebook account by simply phishing the password.
Mänôz discovered a bug in the Meta Accounts Center last year and reported it to the company in mid-September. Meta fixed the bug a few days later and reported it to Mänôz, for which he paid $27,200.
Her spokesperson for Meta, Gabby Curtis, told TechCrunch that the login system was still in a small public testing stage when the bug occurred. Curtis also said that in her investigation of Meta, after the bug was reported, there was no evidence of actual abuse, and Meta confirmed that there was no increased use of that particular feature. This shows the fact that no one has abused it.