Startup And Technology News Blog

Meta Accounts Center

Nepali Hacker finds bug that allowed anyone to bypass Facebook, Instagram 2FA Security

Table of Contents

A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed vicious hackers to switch off an account’s two- factor protections just by knowing their phone number. 

Gtm Mänôz, a security experimenter from Kathmandu Nepal, realized that Meta didn’t set up a limit of attempts when a  user entered the two- factor code used to log into their accounts on the new Meta Accounts Center, which helps  users link all their Meta accounts,  similar as Facebook and Instagram.

With a victim’s phone number, an attacker or hacker would go to the centralized accounts center. Enter the phone number of the victim, link that number to their own Facebook account, and also brute force the two- factor SMS  code. This was the  crucial step, because there was no upper limit of maximum attempts someone could make.

Once the hacker got the SMS code using brute-force, the victim’s phone number became linked to the hacker’s Facebook account. A successful attack would still affect in Meta  transferring a communication like messages to the victim. Saying their two-factor was disable as their phone number got link to someone differently’s account.

“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Gtm Mänôz told TechKitap.

An email from Meta to an account owner telling them that their two-factor protections have been switched off. 
Image Credits: Gtm Mänôz (screenshot)

At this point, theoretically, an hacker could try to take over the victim’s Facebook account just by phishing for the word, given that the target didn’t have two- factor enabled presently.

Gtm Mänôz  found the bug in the Meta Accounts Center last time, and reported it to the company in mid-September. Meta fixed the bug a many days latterly, and paid Mänôz $27,200 for reporting the bug.

Meta agent Gabby Curtis told Tech Kitap that at the time of the bug. The login system was still at the stage of a small public test. Gabby Curtis also said that Meta’s investigation after the bug was report set up that there was no clue of exploitation in the wild. And that Meta saw no point in operation and usage of that particular point. Which would sign the fact that no one was abusing it.

January 30: Headline streamlined to reflect that only Facebook accounts were vulnerable to the bug; this was due to an editing error.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top