It was a significant find, as Meta seems to be putting more and more focus on its Accounts Center feature, letting you manage settings and security information from it, as well as use it to switch to your other accounts. According to Mänôz, the attack was relatively simple; if you knew the phone number or email address the other person used for two-factor authentication, you could link it to your own account, which would remove it from the victim’s.
The thing that’s supposed to prevent this is a six-digit authentication code that gets sent to the other person’s account or phone number, which you don’t have access to. (If you did, you wouldn’t need an exploit.) The bug Mänôz found, however, let an attacker guess that code however many times they wanted — set a program or script to do that task, and it would eventually guess right.
In the worst-case scenario (the method had different effects based on whether the person had fully or partially confirmed their contact info), this would entirely turn off 2FA on the victim’s account. The fact that it was running through Account Center also defeated some other security measures; according to Mänôz’s post, Facebook wouldn’t usually let you add an already-registered email address to your account, but this method bypassed that.
Meta seems to have fixed the issue relatively quickly. Mänôz reported it on September 14th, 2022, and it was dealt with by mid-October after the company’s security team actually figured out how to test it. (According to Mänôz, the Accounts Center hadn’t rolled out for the team’s accounts, and it disappeared from Mänôz’s account after he gave them the credentials so they could test with it.) Meta ended up paying Mänôz a $27,200 bug bounty for reporting the issue. Meta’s post from December doesn’t mention whether it was exploited in the wild, and the company didn’t immediately respond to The Verge’s request for comment.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
