A vulnerability in Meta’s centralised account management system allowed threat actors to disable 2FA safeguards for Facebook accounts in as recently as September 2022. All they needed to do was know the account holder’s phone number.
From the Meta Accounts Center account management system created to link Facebook and Instagram accounts, security researcher Gtm Mänôz discovered that an attacker could enter a victim’s phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victim’s account because there was no set upper limit for code entry attempts.
If the attacker is successful, the victim’s two-factor authentication will be turned off, leaving their account vulnerable to a password-only breach via phishing or social engineering.
In a Medium article, Mänôz claimed to have discovered the flaw while poking around in Meta Accounts Center in advance of BountyCon, a security researcher conference co-hosted by Meta and Google.
He further stated that the flaw was feasible because Instagram and Facebook use the same endpoints to validate e-mail addresses and phone numbers, allowing verification for contact points that had already been added to accounts to be skipped.
Exactly how long the flaw in the Facebook integration of Meta Account Center’s 2FA system persisted for is unclear; however, a patch was made available after a little over a month, with Mänôz filing a bug complaint to Meta on September 14 and a fix being verified to him on October 17.
In a 2022 summary of its Problem Bounty Program, Meta itself noted the bug and Mänôz’s $27,200 reward (opens in new tab).
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover