Meta’s 2FA security protections could have been switched off with ease

Meta forgot a key security check in a new UI

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

As late as September 2022, a bug in Meta’s centralized account management system allowed threat actors to remove2FAprotections for Facebook accounts simply by knowing the phone number attached to an account.

According to aMedium post, (viaTechcrunch), security researcher Gtm Mänôz found that, from theMeta Accounts Centeraccount management system designed to link Facebook and Instagram accounts, an attacker could enter a victim’s phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victim’s account, thanks to there being no set upper limit for code entry attempts.

Following a successful attempt, victims would have their 2FA disabled, leaving their accounts only secured by a password, which, following aphishingorsocial engineeringattack, could easily be retrieved by a dedicated threat actor.

TechRadar Pro needs you!

We want to build a better website for our readers, and we need your help! You can do your bit by filling outour surveyand telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Meta’s bug bounty program

In his Medium post, Mänôz claimed to have found the bug in preparation for BountyCon, a security researcher conference co-hosted by Meta andGoogle, simply by prodding “a new looking UI” within Meta Accounts Center.

He also claimed that, because theendpointsthat verify e-mail addresses and phone numbers across Instagram and Facebook accounts were the same, verification for contact points that had already been attached to accounts could be bypassed, making the bug possible.

Meta hit with huge fine for leaking user data>What is ID fraud and why is identity theft a problem?>We’ve also listed the best identity theft protection services right now

Though it’s unknown just how long the bug was active within the Facebook portion of Meta Account Center’s 2FA system, a fix appeared after just over a month, with Mänôz submitting a bug report to Meta on September 14, and a fix being confirmed to him on October 17.

Meta itself mentioned the bug in the2022 recap of its Bug Bounty Program, noting that Mänôz was awarded $27,200 for his efforts.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)