{"id":478531,"date":"2023-02-01T21:03:30","date_gmt":"2023-02-01T19:03:30","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=478531"},"modified":"2023-02-01T21:05:56","modified_gmt":"2023-02-01T19:05:56","slug":"facebook-security-bug-allowed-hacker-to-switch-off-two-factor-authentication","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/478531-facebook-security-bug-allowed-hacker-to-switch-off-two-factor-authentication.html","title":{"rendered":"Facebook security bug allowed hacker to switch off two-factor authentication"},"content":{"rendered":"

A bug in Meta Platforms’ newly-launched centralised login management system could have allowed hackers to switch off Facebook or Instagram users’ two-factor authentication (2FA), TechCrunch reports<\/strong><\/a>.<\/p>\n

Nepalese security researcher Gtm M\u00e4n\u00f4z uncovered the vulnerability in the Meta Accounts Centre<\/strong><\/a> in 2022.<\/p>\n

The main problem was that the company did not limit the number of attempts users were allowed to make when entering a 2FA code.<\/p>\n

M\u00e4n\u00f4z found that an attacker could enter a phone number linked to a victim’s account in his own accounts centre and then brute-force the 2FA text field with an endless combination of guessed codes.<\/p>\n

Once the correct code was entered,\u00a0Facebook would link the phone number to the attacker’s account and de-link it from the victim’s account, disabling their 2FA in the process.<\/p>\n

The overall impact was that anyone could disable another user’s 2FA using only their phone number, at least until that user reactivated it again.<\/p>\n

Although Meta sends a message to the victim informing them of the change, it is possible that an attacker could exploit 2FA being turned off before they re-enable it.<\/p>\n

Aside from the account holder’s password, there would be no other security barrier preventing the attacker from accessing the targeted account.<\/p>\n

M\u00e4n\u00f4z reported the glaring oversight to Meta, who fixed it and rewarded him with $27,200 (R473,050) for his report.<\/p>\n

\n

Now read: Must-have cybersecurity products and services for businesses<\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"

Meta did not set a limit on the number of times someone was allowed to enter and submit the 2FA code received via SMS. <\/p>\n","protected":false},"author":23,"featured_media":478543,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[161,10424,73842],"class_list":["post-478531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-facebook","tag-instagram","tag-meta-platforms"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/478531"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=478531"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/478531\/revisions"}],"predecessor-version":[{"id":478683,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/478531\/revisions\/478683"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/478543"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=478531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=478531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=478531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}