 |
| A security researcher finds a vulnerability |
A security researcher finds a vulnerability that allows anyone to bypass Facebook's two-factor authentication
The vulnerability in a new centralized system created by Meta Inc. Users can manage their logins to Facebook and Instagram services and block access to victims' accounts if their email addresses or phone numbers are known, and this is what a researcher certainly revealed. .
Gtm Mänôz, a security researcher from Nepal, found that Meta does not prevent attempts to enter two-factor authentication codes to log into accounts in the new Meta Account Center, which helps users link their Meta accounts such as Facebook and Instagram.
Using the victim's phone number or email address, the attacker can access the account center and enter the victim's phone number to associate it with their Facebook account. It will then ask for a two-factor authentication code, which is usually sent via SMS.
Since there is no cap on the number of code attempts, if the attacker can guess the code sent to the victim, the victim's phone is already linked to the attacker's Facebook account, thus disabling the two-factor authentication of the victim's social networking account website.
Even if the attack succeeds in linking the victim's phone to the attacker's account, Meta will send the victim a message saying two-factor authentication is disabled because their phone number is already linked to someone else's account.
At this point, if the victim does not fix it, the attacker can attempt to take control of the victim's Facebook account via password phishing, provided their account is not protected by two-factor authentication.
Mänôz discovered the vulnerability in Meta's account center last year and reported it to the company in mid-September 2022. A month later, Meta fixed the bug and paid the researcher $27,200 to report it.
It is currently unclear whether hackers will be able to discover and exploit the vulnerability before patching it.