Site icon TechNewsBoy.com

Security researcher finds bug that may have allowed hackers to bypass Facebook’s 2FA

Meta created a centralised system to allow users to manage connected experiences like logging in across accounts on Facebook and Instagram. A security researcher has said a bug in this system, called Meta Accounts Center, may have allowed hackers to disable two-factor authentication (2FA) – a way that helps users to keep their social media accounts protected from unauthorised access.
Gtm Mänôz, a security researcher from Nepal, said he reported a bug he found in the Meta Accounts Center in September last year.
Bug in Meta Accounts Center
Mänôz said that he found that Meta did not set up a limit to enter login code it sends via SMS as a part of the two-factor authentication process. As per the researcher, this bug would have allowed a hacker to bypass the authentication protections using brute force attacks.

It is to be noted that when users set up two-factor authentication, they are asked for a special code to login to an account. This code is sent every time users log in to their accounts. Users also get alerts when someone tries logging in from a browser or mobile device Meta doesn’t recognise.
This helps users keep their accounts safe even if hackers get a user’s phone number because they won’t have the special code required to sign-in to their accounts. Since there was no limit to attempt authentication via login code, hackers could have guessed that code by punching it in multiple times until they got it right.
In case the hacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. Meta wil still send a message to the victims informing them that their 2FA was disabled and their phone number got linked to someone else’s account.

At this stage, since the 2FA no longer existed for that particular account, hackers could have taken over the victim’s account.
Meta fixed the bug
Mänôz said that soon after he found and reported the bug, Meta fixed this vulnerability. “We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report,” Meta said in a report in December.

Data of 500 million WhatsApp users leaked, How to check if you’re WhatsApp data is at risk

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version