A $27,200 bug bounty was given to a researcher by Meta for a flaw that avoided Facebook 2FA. To make it simpler for Instagram, Facebook, and Meta (VR) users to manage their accounts, Meta has introduced a consolidated login mechanism. Unfortunately, developers should have noticed an obvious mistake involving attempt limits when setting up the 2FA system.
In July 2022, a first-year security researcher named Gtm Mänôz discovered the flaw. Mänôz began tinkering with the Meta Accounts Center interface, which controls all Meta accounts while searching for his first bug bounty to present at BountyCon 2022. He added features akin to Google’s one-stop login for its numerous services (YouTube, Gmail, Docs, etc.).
He mentioned that the page permitted users to assign a phone number to their accounts when linking their accounts. The six-digit Facebook 2FA code that the system delivers to users is entered after their phone number. However, Mänôz found that the Account Centre only requests the user to do so instead of providing a new code if the incorrect code is entered.
Additionally, there was no restriction on the number of unsuccessful tries that may be entered in the verification box. Due to this error, Mänôz could connect his phone number to a different Facebook page by brute-forcing the Facebook 2FA on his account. The victim receives the only notification that their phone number has been linked to another user’s account after it has been taken in an email from Meta.
Even if the significant adverse effects of this exploit are a tiresome re-establishing of the owner’s phone number, it temporarily disables 2FA on the victim’s account. The target is vulnerable to password phishing attacks up until they take action.
Mänôz, who spoke to TechCrunch, said, “basically, the largest impact here was cancelling anyone’s SMS-based 2FA by knowing the phone number.”
In response to a bug report from Mänôz in September, Meta promptly patched the problem. According to a spokeswoman, the Meta Accounts Center was still in beta and only accessible to a select group of users when Mänôz discovered the issue. The spokesman added that Meta’s examination had not found any sudden increases in using that feature, which suggested that hackers had not used it.
Despite the glitch’s modest severity, Meta gave Mänôz a $27,200 bug bounty. Not bad for his initial bug hunt.
In the past few years, Meta has occasionally had trouble with the login processes for its numerous accounts. There was a slight panic when it locked everyone out of Facebook in 2021 to reconfigure the website. Several users’ accounts were purposely frozen last year for failing to enable “Facebook Protect” by the time provided by an official Meta email that appeared suspiciously like a phishing scam.
Also read: If you are looking for a best college essay writing service, you are surely on right place. Get complete information here.
Also read: Do you know who is Mary Fanto and what was her death cause? Read here what happened to her.
