Security researchers from Nepal recently found a new vulnerability in Meta’s login system for Facebook, Instagram and other apps that allows anyone to bypass Facebook’s two-factor authentication.
Anyone can use this vulnerability to bypass SMS-based two-factor authentication as long as they know the person’s phone number,” researcher Gtm Mänôz told TechCrunch.
Mänôz said the vulnerability exists in Meta Group’s unified login system, where Meta does not set attempt limits when users enter the two-factor code used to log into their accounts.
This means that all that is needed is to know the phone number or email of the target of the attack, and then the attacker can enter the two-factor SMS code by brute force. Once the attacker obtains the correct authentication code, then the attacker can launch a subsequent attack.
Even after an attacker successfully attacks, Meta alerts the user that the account has been linked to someone else’s account, thus disabling two-factor authentication.
Mänôz reported the bug to the company last year, and Meta has now fixed the vulnerability. meta ended up paying him $27,200 (currently about RMB 184,000) as a reward for his discovery.