A flaw in Meta’s latest centralized system for users to maintain their Facebook and Instagram account logins might have permitted cybercriminals to disable a user account’s two-factor authentication merely by knowing one‘s mobile number.
Gtm Mänôz who is a Nepalese security researcher discovered that Meta did not impose a limit on how many attempts whenever a user inputs the two-factor code utilized to log into one‘s accounts on the latest Meta Accounts Center, which allows users to connect all of their Meta accounts, which include Instagram and Facebook accounts.
A hacker would access the centralized accounts center, enter the victim’s mobile number, connect that phone number to their own Fb or Instagram account, and afterward using brute force can guess the two-factor authentication code. This was the most important step since there was no constraint to how many tries somebody could make.
Also Read: Why major advertisers are leaving Twitter?
When the attacker correctly entered the code, the victim’s phone number was connected to the hacker’s Facebook account. A successful attack still would lead to Meta sending a notification to the victim stating that their two-factor authentication had been disabled because their phone number had been linked to a different account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
Source: techcrunch.com
Provided that the target no longer had two-factor activated, a hacker might possibly attempt to obtain the victim’s Facebook account simply by spoofing the password.
Also Read: Will the metaverse be good for society?
Last year, Mänôz discovered the flaw in the Meta Accounts Center & revealed the issue to the firm in mid-September. A few days back, Meta resolved the bug and provided 27,200 USD to Mänôz for disclosing it.
“If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from victim’s account,” Mänôz wrote. “And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim’s account.”
Source: darkreading.com
According to Meta spokesperson Gabby Curtis, the login system was still in the early stages of a limited public test at the time of the flaw. Curtis also stated that once the bug was revealed, Meta carried out an investigation and discovered no indications of mistreatment in the wild, as well as no sudden increase in the utilization of that particular function, indicating that nobody was misusing it.
I am a student pursuing my bachelor’s in information technology. I have a interest in writing so, I am working a freelance content writer because I enjoy writing. I also write poetries. I believe in the quote by anne frank “paper has more patience than person