Skip to content

Meta fixes 2FA bug on Facebook and Instagram

  • by
  • 2 min read

A rate-limiting issue in Meta’s new Accounts Centre allowed threat actors to launch brute-force attacks and effectively bypass two-factor authentication on Facebook and Instagram. The bug was discovered by Nepalese security researcher Gtm Mänôz, who has been awarded $27,200 for the discovery. Meta has since fixed the issue. The issue was reported to Meta on September 14, 2022, and a fix for Facebook was issued by October 17, 2022. 

The bug affected a new centralised system that Meta uses for users to manage their logins for Facebook and Instagram combined. Mänôz realised that Meta did not set a limit to how many times a user could enter the two-factor code used to log into their accounts and the new Meta Accounts Centre. This meant that an attacker could go to the account centre, link the victim’s phone number with their own Facebook account and brute-force the two-factor code. 

A message from Facebook informing the victim that TFA has been disabled on their account post-exploitation. | Source: Gtm Mänôz

Once the code is correctly guessed, the victim’s phone number would be linked to the attacker’s Facebook account. This would result in Meta sending the victim a message saying that two-factor authentication has been disabled on their account. At this point, the attacker can theoretically phish the account credentials from the victim considering they don’t have two-factor authentication anymore.

Meta spokesperson Gabby Curtis told TechCrunch that at the time of discovery, the login system was still undergoing a small public test. Further investigation into the matter revealed no evidence of exploitation in the wild. Additionally, the company saw no spike in usage of this feature, indicating that it wasn’t abused. 

In the News: GitHub revokes stolen code signing certificates following internal repo breach

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>