A flaw in a new, centralized system that Meta developed for users to manage their Facebook and Instagram logins could have made it possible for nefarious hackers to disable two-factor safeguards on an account simply by knowing the phone number of the account holder.
When a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which enables users to link all of their Meta accounts, including Facebook and Instagram, Gtm Mänôz, a security researcher from Nepal, realized that Meta had not set up a limit on the number of attempts.
An attacker might use the victim’s phone number to access the centralized accounts center, link the victim’s number to their own Facebook account, and then brute force the two-factor SMS code. Since there was no cap on how many attempts a person might make, this was the crucial phase.
Once the attacker cracked the code, his Facebook account was connected to the victim’s phone number. After a successful attack, Meta would still notify the victim that their two-factor authentication had been blocked because their phone number had been connected to another account.
According to Mänôz, canceling anyone’s SMS-based 2FA just by knowing their phone number has the greatest impact.
Given that the target no longer had two-factor enabled, an attacker might possibly attempt to access the victim’s Facebook account at this time by phishing for the password.
Last year, Mänôz discovered the problem in the Meta Accounts Center and informed the business of it in mid-September. A few days later, Meta corrected the issue and gave Mänôz $27,200 as compensation for reporting it.
According to Meta spokesperson Gabby Curtis, the login system was still in the early stages of a limited public test at the time of the problem. Additionally, according to Curtis, Meta’s research into the flaw when it was discovered revealed no indication of its exploitation in the wild and no rise in usage of that specific feature, which would indicate that it was not being abused.