Facebook’s two-factor protection isn’t foolproof. A cybersecurity researcher has figured out how to disable Meta account security by only knowing the associated mobile number. A bug that has fortunately been fixed.
Meta, Facebook’s parent company, is currently working to centralize account management for its various products. It’s a small change for users, but a lot of work for developersand this increases the risk of leaving a security breach. It is precisely in the new “Accounts Area” of Instagram that a Nepalese cybersecurity researcher, Gtm Mänôz, discovered a major flaw. This allows you to deactivate two-factor authentication (2FA) from any account knowing only the associated mobile number.
This security option improves the protection of an account by, for example, sending a single use code by SMS to enter in addition to the password to connect. The flaw in question is when adding a new mobile number to your account to implement this protection. After entering your phone number, the site sends a six-digit code by SMS that must be entered to confirm ownership of the number.
The flaw allows to disable the victim’s 2FA security
Normally the number of attempts to enter this code is limited to prevent hackers from using a brute force attack by sending all possible digits. This is precisely what Meta forgot to put in place.
A hacker might therefore add to his own account the mobile number used by another Instagram or Facebook account for two-factor authentication. When the site sent the code, all they had to do was manually enter any six-digit series the first time and record the response sent to the site. He might then use software to return the same response a million times by changing the code sent each time. This is one of the techniques hacking the most rudimentary. The point of this technique is what happens next. The number was then deleted from the victim’s account, and its 2FA security deactivated.
An unexploitable flaw without the password
Of course, this did not give him direct access to the account. He still had to get the password by another method. In addition, the victim received by text message the confirmation code for adding their number, then an email notifying them that their number had been removed from their account. However, if the intruder had already obtained the victim’s password, they might quickly disable two-factor authentication with this method, then log into the victim’s account and change their password, preventing them from to access their account.
Gtm Mänôz reported the flaw on September 14, and it was patched by Meta on October 17. The firm indicates that the flaw was accessible during a small-scale public beta test, and does not seem to have been exploited. Meta paid him a reward of $27,200 as part of its bug bounty (Bug Bounty), the second largest reward for 2022, out of more than 750 awards granted for a total amount exceeding $2 million.