Facebook’s Account Center Has A 2FA-Defeating Bug!

According to the latest reports, Facebook’s Account Center features a bug that let hackers brute force SMS two-factor authentication. It simply allows them to bypass the additional protection. The social media giant claims to fix the vulnerability back in December. It was reported by Nepalese security researcher Gtm Mänôz, who shared the details regarding the exploit in a Medium post earlier this month.

Facebook’s Account Center Features A Bug To Bypass 2FA

No doubt, it seems to be a significant find, as Facebook is putting more and more focus on its Accounts Center feature nowadays. It lets you manage settings and security information from it. In addition, it also allows you to switch to your other accounts. According to reports, the attack was relatively simple. If you knew the phone number or email address the other user used for two-factor authentication, you could link it to your own account easily, which would end in removing it from the victim’s.

It is quite obvious that the actual thing that’s supposed to prevent this is a six-digit authentication code that is usually sent to the other person’s account or phone number, which you don’t have access to. This bug lets an attacker guess that code by setting a program or script to do that task. The worst case is that it entirely turns off 2FA on the victim’s account. As it was running through Account Center so it also defeated some other security measures. Meta usually doesn’t let you add an already-registered email address to your account, however, this method bypassed that too.

Reports claim that the company has fixed the issue relatively quickly. The issue was reported on September 14th, 2022, and it was fixed by mid-October after Meta’s security team actually figured out how to test it.  Facebook ended up paying the person Mänôz a $27,200 bug bounty for reporting the issue.

Also Read: New Odd Google Play Games Icon Makes Its Way To Android Users (phoneworld.com.pk)