A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram may have allowed hackers to switch off an account’s two-factor authentication just by knowing their phone number.
This was discovered by Gtm Mänôz, a security researcher from Nepal, who realized that Meta did not set up a limit of attempts when a user entered the two-factor code to log on to the new Meta Accounts Center — which helps users link all their Meta accounts.
So, with a victim’s phone number – a hacker would go to the centralized accounts center, enter that phone number, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was possible as there was no upper limit to the amount of attempts someone could make.
Once the attacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. That, however, would prompt Meta to send a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
At this point, an attacker could try to take over the victim’s Facebook account by phishing for the password, given that the target didn’t have two-factor enabled anymore. Or, they could contact the victim’s friends and ask them to sign-up for some services.
Mänôz reported the bug to Meta in mid-September, which fixed it a few days later and paid Mänôz $27,200 for reporting the bug.
The good thing is that at the time of the bug, the login system was still at the stage of a small public test, and there was no evidence of exploitation in the wild, according to Meta spokesperson Gabby Curtis.
It’s good that this all ended up well for Meta and its users, but we can hardly rely on pure luck that something like this won’t happen in the future when perhaps some real damage is made.
In the meantime, you can make sure to use impossible-to-guess passwords that are coupled with 2FA and, of course – use a VPN.