Meta's 2FA security protections could have been switched off with ease

Hologram of security padlock operating on the electronic circuit CPU.
(Image credit: Getty Images)

As late as September 2022, a bug in Meta’s centralized account management system allowed threat actors to remove 2FA protections for Facebook accounts simply by knowing the phone number attached to an account.

According to a Medium post, (via Techcrunch), security researcher Gtm Mänôz found that, from the Meta Accounts Center account management system designed to link Facebook and Instagram accounts, an attacker could enter a victim’s phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victim’s account, thanks to there being no set upper limit for code entry attempts.

Following a successful attempt, victims would have their 2FA disabled, leaving their accounts only secured by a password, which, following a phishing or social engineering attack, could easily be retrieved by a dedicated threat actor. 

TechRadar Pro needs you! 

We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Meta’s bug bounty program

In his Medium post, Mänôz claimed to have found the bug in preparation for BountyCon, a security researcher conference co-hosted by Meta and Google, simply by prodding “a new looking UI” within Meta Accounts Center.

He also claimed that, because the endpoints that verify e-mail addresses and phone numbers across Instagram and Facebook accounts were the same, verification for contact points that had already been attached to accounts could be bypassed, making the bug possible.

Though it’s unknown just how long the bug was active within the Facebook portion of Meta Account Center’s 2FA system, a fix appeared after just over a month, with Mänôz submitting a bug report to Meta on September 14, and a fix being confirmed to him on October 17.

Meta itself mentioned the bug in the 2022 recap of its Bug Bounty Program, noting that Mänôz was awarded $27,200 for his efforts.

Luke Hughes
Staff Writer

 Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.