Others · January 30, 2023

Hacker finds bug that allowed anyone to bypass Facebook and Instagram 2FA

A bug in a new centralized system that Meta created for users to toptechtrends.com/2023/01/19/meta-centralizes-more-user-and-privacy-settings-across-its-apps-announces-changes-to-ads-controls/” target=”_blank” rel=”noopener”>manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their email address or phone number.

Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.

With a victim’s phone number or email address, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Instagram or Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make.

Once the attacker got the code right, the victim’s phone number became linked to the attacker’s account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.

“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.

toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg” alt=’A screenshot of an email sent by Meta to a user that says: “We wanted to let you know that your phone number registered and verified by another person on Facebook.”‘ width=”900″ height=”417” srcset=”https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg 2240w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=150,70 150w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=300,139 300w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=768,356 768w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=680,315 680w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=1536,712 1536w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=2048,950 2048w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=1200,557 1200w, https://toptechtrends.com/wp-content/uploads/2023/01/facebook-email-two-factor-1.jpg?resize=50,23 50w” sizes=”(max-width: 900px) 100vw, 900px”>

An email from Meta to an account owner telling them that their two-factor protections have been switched off. Image Credits: Gtm Mänôz (screenshot)

At this point, theoretically, an attacker could try to take over the victim’s account just by phishing for the password, given that the target didn’t have two-factor enabled anymore.

Mänôz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a month later, and paid Mänôz $27,200 for reporting the bug.

It’s unclear if any malicious hackers also found the bug and exploited it before Facebook fixed it. Meta did not immediately respond to a request for comment.

toptechtrends.com/2021/12/02/facebook-two-factor-mandatory/”>Facebook is making two-factor mandatory for high-risk accounts

toptechtrends.com/2023/01/30/facebook-instagram-two-factor-bypass-bug/”>Hacker finds bug that allowed anyone to bypass Facebook and Instagram 2FA by toptechtrends.com/author/lorenzo-franceschi-bicchierai/”>Lorenzo Franceschi-Bicchierai originally published on toptechtrends.com/”>TechCrunch

About The Author