According to the latest reports, Facebook’s Account Center contains a bug that allows hackers to brute force SMS two-factor authentication. It simply allows them to bypass the extra protection. The social media giant claims to have patched the vulnerability in December. It was reported by Nepalese security researcher Gtm Mänôz, who shared details about the exploit in a Medium post earlier this month.
Facebook’s Account Center has a bug to bypass 2FA
No doubt it seems like an important find as Facebook is paying more and more attention to the Accounts Center feature these days. Allows you to manage settings and security information. Moreover, it also allows you to switch to your other accounts. According to reports, the attack was relatively simple. If you know the phone number or email address the other user used for two-factor authentication, you can easily link it to your own account, which will eventually remove it from the victim’s account.
It’s pretty obvious that the actual thing that’s supposed to prevent this is a six-digit authentication code that’s usually sent to the other person’s account or phone number, which you don’t have access to. This bug lets an attacker guess that code by setting up a program or script to perform that task. In the worst case, 2FA will be completely disabled on the victim’s account. Because it ran through Account Center, it beat some other security measures as well. Meta usually won’t let you add an already registered email address to your account, but this method got around that too.
Reports claim that the company resolved the issue relatively quickly. The issue was reported on September 14, 2022, and was fixed by mid-October after Meta’s security team figured out how to test it. Facebook ended up paying Mänôz a $27,200 bug bounty for reporting the issue.
Also Read: New Odd Google Play Games Icon Makes Its Way To Android Users (phoneworld.com.pk)