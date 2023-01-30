



A bug in a new centralized system created by Meta for users to manage their Facebook and Instagram logins may have allowed malicious hackers to turn off two-factor protection for their accounts simply by knowing their phone number. there is.

Gtm Mnz, a security researcher in Nepal, noticed that Meta did not set a limit on the number of attempts when users entered the two-factor code used to log into their accounts in the new Meta Accounts Center. . This allows users to link all their Meta accounts. , such as Facebook and Instagram.

Using the victim’s phone number, the attacker accessed a central account center, entered the victim’s phone number, linked the number to his Facebook account, and then brute-forced a two-factor SMS code. To do. This was an important step as there was no upper limit on the number of trials.

Once the attacker successfully obtained the code, the victim’s phone number was linked to the attacker’s Facebook account. Even if the attack succeeds, Meta will send a message to the victim telling them that their phone number has been linked to someone else’s account, thus disabling two-factor.

Basically, the biggest impact here was to revoke SMS-based 2FA just by knowing your phone number, Mnz told TechCrunch.

At this point, in theory, an attacker could attempt to take over a victim’s Facebook account by simply phishing for a password, given that the target has not enabled two-factor authentication. .

Mnz discovered a bug in the Meta Accounts Center last year and reported it to the company in mid-September. Meta fixed the bug a few days later and he paid Mnz $27,200 for reporting the bug.

Gabby Curtis, a spokesperson for Meta, told TechCrunch that the login system was still in a small public testing stage when the bug occurred. Curtis also said that in her investigation of Metas after the bug was reported, there was no evidence of actual abuse, and Meta did not see a spike in usage of that particular feature. This shows the fact that no one has abused it.

January 30: Headline updated to reflect that only Facebook accounts are vulnerable to the bug. This was due to an editing error. ZW.

Updated with comment from Meta.

