You are using an older browser version. Please use a supported version for the best MSN experience.

Meta’s Account Center came with a 2FA-defeating bug

The Verge logo The Verge 1/30/2023 Mitchell Clark
© Illustration by Nick Barclay / The Verge

Meta’s Accounts Center feature had a bug that let hackers brute force SMS two-factor authentication, allowing them to bypass the additional protection (via TechCrunch). The vulnerability, which Meta says it fixed in December, was reported by Nepalese security researcher Gtm Mänôz, who detailed the exploit in a Medium post earlier this month.

It was a significant find, as Meta seems to be putting more and more focus on its Accounts Center feature, letting you manage settings and security information from it, as well as use it to switch to your other accounts. According to Mänôz, the attack was relatively simple; if you knew the phone number or email address the other person used for two-factor authentication, you could link it to your own account, which would remove it from the victim’s.

The thing that’s supposed to prevent this is a six-digit authentication code that gets sent to the other person’s account or phone number, which you don’t have access to. (If you did, you wouldn’t need an exploit.) The bug Mänôz found, however, let an attacker guess that code however many times they wanted — set a program or script to do that task, and it would eventually guess right.

In the worst-case scenario (the method had different effects based on whether the person had fully or partially confirmed their contact info), this would entirely turn off 2FA on the victim’s account. The fact that it was running through Account Center also defeated some other security measures; according to Mänôz’s post, Facebook wouldn’t usually let you add an already-registered email address to your account, but this method bypassed that.

Meta seems to have fixed the issue relatively quickly. Mänôz reported it on September 14th, 2022, and it was dealt with by mid-October after the company’s security team actually figured out how to test it. (According to Mänôz, the Accounts Center hadn’t rolled out for the team’s accounts, and it disappeared from Mänôz’s account after he gave them the credentials so they could test with it.) Meta ended up paying Mänôz a $27,200 bug bounty for reporting the issue. Meta’s post from December doesn’t mention whether it was exploited in the wild, and the company didn’t immediately respond to The Verge’s request for comment.


More from The Verge

image beaconimage beaconimage beacon