Security researcher finds bug that may have allowed hackers to bypass Facebook’s 2FA

Meta created a centralised system to allow users to manage connected experiences like logging in across accounts on Facebook and Instagram. A security researcher has said a bug in this system, called Meta Accounts Center, may have allowed hackers to disable two-factor authentication (2FA) – a way that helps users to keep their social media accounts protected from unauthorised access.
Gtm Mänôz, a security researcher from Nepal, said he reported a bug he found in the Meta Accounts Center in September last year.
Bug in Meta Accounts Center
Mänôz said that he found that Meta did not set up a limit to enter login code it sends via SMS as a part of the two-factor authentication process. As per the researcher, this bug would have allowed a hacker to bypass the authentication protections using brute force attacks.

It is to be noted that when users set up two-factor authentication, they are asked for a special code to login to an account. This code is sent every time users log in to their accounts. Users also get alerts when someone tries logging in from a browser or mobile device Meta doesn’t recognise.
This helps users keep their accounts safe even if hackers get a user’s phone number because they won’t have the special code required to sign-in to their accounts. Since there was no limit to attempt authentication via login code, hackers could have guessed that code by punching it in multiple times until they got it right.
In case the hacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. Meta wil still send a message to the victims informing them that their 2FA was disabled and their phone number got linked to someone else’s account.

At this stage, since the 2FA no longer existed for that particular account, hackers could have taken over the victim’s account.
Meta fixed the bug
Mänôz said that soon after he found and reported the bug, Meta fixed this vulnerability. “We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report,” Meta said in a report in December.