Newsletter
Two-factor authentication is generally considered one of the best ways to secure your account, but it’s not foolproof. In a recent incident, Nepalese security researcher Gtm Mänôz discovered a security flaw in Meta’s new centralized system which could’ve allowed malicious hackers to switch off a Facebook user’s two-factor authentication by simply knowing their phone number.
Security flaw in Meta’s privacy control hub
Gtm Mänôz discovered that oversight by Facebook engineers caused the security flaw when creating the Accounts Center feature, as they failed to limit the number of attempts a user could make when entering their two-factor code. This resulted in an attacker being able to link a victim’s phone number to their own Facebook account, brute force the two-factor SMS code, and disable the victim’s two-factor authentication.
Once the attacker succeeded in getting the code right, the victim’s phone number became linked to the attacker’s Facebook account. Thus making it much easier for the attackers to take over the account, as they would only need to phish for the password.
Fortunately, Mänôz discovered the security flaw before any threat actors and reported it to Facebook in September. The company fixed the bug a few days later and awarded Mänôz $27,200 for reporting the bug. According to a spokesperson from Meta, the login system was still in its early testing stages at the time of the bug, and there was no evidence of exploitation in the wild.
Despite the quick resolution of the issue, it’s important to acknowledge that security and privacy breaches involving Meta’s suite of apps have been a recurring concern in recent years. Therefore, it is always a good idea to regularly update your passwords and never use the same password twice. Alternatively, for those users who have trouble remembering their passwords, a password manager like 1Password can make this easy.