Facebook’s two-factor protection isn’t foolproof. A cybersecurity researcher has figured out how to disable Meta account security by only knowing the associated mobile number. A bug that has fortunately been fixed.
Meta, Facebook’s parent company, is currently working to centralize account management for its various products. It’s a small change for users, but a lot of work for developers, and it increases the risk of leaving a security hole. It is precisely in the new “Accounts Area” of Instagram that a Nepalese cybersecurity researcher, Gtm Mänôz, discovered a major flaw. This makes it possible to deactivate the two-factor authentication (2FA) of any account by knowing only the associated mobile number.
This security option improves the protection of an account by sending, for example, a one-time code by SMS to be entered in addition to the password to connect. The flaw in question is when adding a new mobile number to your account to implement this protection. After entering your phone number, the site sends a six-digit code by SMS that must be entered to confirm ownership of the number.
The flaw allows to disable the victim’s 2FA security
Normally the number of attempts to enter this code is limited to prevent hackers from using a brute force attack by sending all possible digits. This is precisely what Meta forgot to put in place.
A hacker could therefore add to his own account the mobile number used by another Instagram or Facebook account for two-factor authentication. When the site sent the code, all they had to do was manually enter any six-digit series the first time and record the response sent to the site. He could then use software to return the same response a million times by changing the code sent each time. This is one of the most rudimentary hacking techniques. The point of this technique is what happens next. The number was then deleted from the victim’s account, and its 2FA security deactivated.
An unexploitable flaw without the password
Of course, this did not give him direct access to the account. He still had to get the password by another method. In addition, the victim received by SMS the confirmation code for the addition of his number, then an e-mail informing him that his number had been deleted from his account. However, if the intruder had already obtained the victim’s password, they could quickly disable two-factor authentication with this method, then log into the victim’s account and change their password, preventing them from to access their account.
Gtm Mänôz reported the flaw on September 14, and it was patched by Meta on October 17. The firm indicates that the flaw was accessible during a small-scale public beta test, and does not seem to have been exploited. Meta paid him a reward of $27,200 as part of its bug bounty program (Bug Bounty), the second largest reward for 2022, out of more than 750 awards granted for a total amount exceeding $2 million.
