1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Meta's 2FA security protections could have been switched off with

    From TechnologyDaily@1337:1/100 to All on Tue Jan 31 15:30:03 2023
    Meta's 2FA security protections could have been switched off with ease

    Date:
    Tue, 31 Jan 2023 15:14:47 +0000

    Description:
    Bug allowed 2FA to be removed simply by knowing the phone number linked to a victims Facebook account.

    FULL STORY ======================================================================

    As late as September 2022, a bug in Metas centralized account management system allowed threat actors to remove 2FA protections for Facebook accounts simply by knowing the phone number attached to an account.

    According to a Medium post , (via Techcrunch ), security researcher Gtm Mnz found that, from the Meta Accounts Center account management system designed to link Facebook and Instagram accounts, an attacker could enter a victims phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victims account, thanks to there being no set upper limit for code entry attempts.

    Following a successful attempt, victims would have their 2FA disabled,
    leaving their accounts only secured by a password, which, following a
    phishing or social engineering attack, could easily be retrieved by a dedicated threat actor. Metas bug bounty program

    In his Medium post, Mnz claimed to have found the bug in preparation for BountyCon, a security researcher conference co-hosted by Meta and Google, simply by prodding a new looking UI within Meta Accounts Center.

    He also claimed that, because the endpoints that verify e-mail addresses and phone numbers across Instagram and Facebook accounts were the same, verification for contact points that had already been attached to accounts could be bypassed, making the bug possible. Read more

    Meta hit with huge fine for leaking user data


    What is ID fraud and why is identity theft a problem?


    Weve also listed the best identity theft protection services right now

    Though its unknown just how long the bug was active within the Facebook portion of Meta Account Centers 2FA system, a fix appeared after just over a month, with Mnz submitting a bug report to Meta on September 14, and a fix being confirmed to him on October 17.

    Meta itself mentioned the bug in the 2022 recap of its Bug Bounty Program , noting that Mnz was awarded $27,200 for his efforts. Heres our list of the best password managers right now



    ======================================================================
    Link to news story: https://www.techradar.com/news/metas-2fa-security-protections-could-have-been- switched-off-with-ease


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)