Meta created a centralised system to allow users to manage connected experiences like logging in across accounts on Facebook and Instagram . A security researcher has said a bug in this system, called Meta Accounts Center , may have allowed hackers to disable two-factor authentication (2FA) – a way that helps users to keep their social media accounts protected from unauthorised access.
Gtm Mänôz, a security researcher from Nepal, said he reported a bug he found in the Meta Accounts Center in September last year.
Bug in Meta Accounts Center
Mänôz said that he found that Meta did not set up a limit to enter login code it sends via SMS as a part of the two-factor authentication process. As per the researcher, this bug would have allowed a hacker to bypass the authentication protections using brute force attacks.
It is to be noted that when users set up two-factor authentication, they are asked for a special code to login to an account. This code is sent every time users log in to their accounts. Users also get alerts when someone tries logging in from a browser or mobile device Meta doesn’t recognise.
This helps users keep their accounts safe even if hackers get a user's phone number because they won't have the special code required to sign-in to their accounts. Since there was no limit to attempt authentication via login code, hackers could have guessed that code by punching it in multiple times until they got it right.
In case the hacker got the code right, the victim's phone number became linked to the attacker's Facebook account. Meta wil still send a message to the victims informing them that their 2FA was disabled and their phone number got linked to someone else's account.
At this stage, since the 2FA no longer existed for that particular account, hackers could have taken over the victim's account.
Meta fixed the bug
Mänôz said that soon after he found and reported the bug, Meta fixed this vulnerability. "We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone's phone number. We awarded a $27,200 bounty for this report," Meta said in a report in December.
- Facebook's bug bounty gets bigger for third-party apps
- Apple opens up hacker-friendly iPhone to researchers at Black Hat
- Facebook will pay you to find data-mining apps
- WhatsApp, Telegram had security flaws that let hackers change what you see
- These Wi-Fi extenders had vulnerabilities that gave hackers complete control
- Trolls for hire: Investigation finds online smear campaigns can be bought for as little as $8 for a post or $1,500 for two week campaign
- Small Business Network Security 101
- Hacker and Cracker
- How will data security change the face of computer industry?
- Open Source Software Security
- Internet Monitoring- Securing Your Home and Children Against Intrusion
- How to Secure Your Data in Corporate Mobile Apps
- The Insider Threat to Data Security Is Getting Worse
- What are FaceBook Proxys?
- Dozens of death threats in Brexit Facebook groups
- Humans will find alien life in the next 30 YEARS says the astronomer who won a Nobel Prize this week for finding hundreds of exoplanets
- Facebook Careers
- Do Not Allow an Extended Stay Away from Home to Disrupt a Nutrition Plan
- Sex workers' clients exposed in Dutch hack attack
- Mobile phone shop staff 'enabling Sim swap scams'
Security researcher finds bug that may have allowed hackers to bypass Facebook’s 2FA have 607 words, post on www.gadgetsnow.com at February 2, 2023. This is cached page on TechNews. If you want remove this page, please contact us.