Meta’s new unified system for managing Facebook and Instagram logins may include a bug that might enable attackers to get your phone number and turn off two-factor authentication.
Nepali security researcher Gtm Mänôz found that Meta did not setup limits on attempts to log in without a two-factor code when logging into the new Meta Account Center, which helps users link all their Meta accounts, like Facebook and Instagram.
An attacker uses a victim’s phone number to access a central account center, enters the victim’s phone number, connects that number to their Facebook account, and secures a two-step SMS code. This step is very important because the number of attempts is low.
The victim’s phone number would be linked to the attacker’s Facebook account if the attacker got the right code. If the attack is successful, META sends the victim a message that the phone number has been disabled because it is linked to someone else’s account.
“The biggest impact of this is basically getting SMS-based 2FA on someone’s phone number,” Mänôz told TechCrunch.
At this point, the attacker can attempt to crack the password and take control of the victim’s Facebook account, but the target doesn’t have two-factor enabled anymore.
Mänôz noticed a bug in his Meta Account Center the year before and mentioned it to the company in mid-September. Meta solved the bug a few days ago and paid Mänôz $27,200 for reporting the bug.
Meta spokeswoman Gabby Curtis recently said that the login system was undergoing a small public test when the bug occurred. In his investigation of bug reports on Meta, Curtis found no evidence of vulnerabilities in the wild. Meta did not see a spike in using this feature, suggesting that no one was abusing the feature.