A bug in Meta Platforms’ newly-launched centralised login management system could have allowed hackers to switch off Facebook or Instagram users’ two-factor authentication (2FA), TechCrunch reports.
Nepalese security researcher Gtm Mänôz uncovered the vulnerability in the Meta Accounts Centre in 2022.
The main problem was that the company did not limit the number of attempts users were allowed to make when entering a 2FA code.
Mänôz found that an attacker could enter a phone number linked to a victim’s account in his own accounts centre and then brute-force the 2FA text field with an endless combination of guessed codes.
Once the correct code was entered, Facebook would link the phone number to the attacker’s account and de-link it from the victim’s account, disabling their 2FA in the process.
The overall impact was that anyone could disable another user’s 2FA using only their phone number, at least until that user reactivated it again.
Although Meta sends a message to the victim informing them of the change, it is possible that an attacker could exploit 2FA being turned off before they re-enable it.
Aside from the account holder’s password, there would be no other security barrier preventing the attacker from accessing the targeted account.
Mänôz reported the glaring oversight to Meta, who fixed it and rewarded him with $27,200 (R473,050) for his report.