A flaw in a new, centralized system that Meta developed for users to manage their Facebook & Instagram logins could have made it possible for nefarious hackers to disable two-factor safeguards (2FA) on an account simply by knowing the phone number of the account holder.
First reported by TechCrunch, it is reported that when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which enables users to link all of their Meta accounts, including Facebook & Instagram, Gtm Mänôz, a security researcher from Nepal, realized that Meta had not set up a limit on the number of attempts.
An attacker might use the victim’s phone number to access the centralized accounts center, link the victim’s number to their own Facebook account, & then brute force the two-factor SMS code. Once the attacker cracked the code, his Facebook account was connected to the victim’s phone number. After a successful attack, Meta would still notify the victim that their two-factor authentication had been blocked because their phone number had been connected to another account.
