A bug in Meta’s Accounts Center temporarily left Facebook users vulnerable. This is despite the two-factor authentication in force.
Meta came very close to a new scandal. A Nepalese security researcher, Gtm Mänôz, noticed a critical flaw in Meta’s Accounts Center. As a reminder, this is a centralized system that allows Facebook and Instagram users to manage their identifiers. However, it turns out that a bug potentially allowed hackers to bypass two-factor authentication, via brute force attacks, on Facebook accounts.
Concretely, it was enough for malicious people to test six-digit identification codes until they found the right one. Nothing fancy, then. According to Gtm Mänôz, the problem was that Meta did not limit the number of login attempts. However, once the code is found, the victim’s phone number is linked to the hacker’s Facebook account and the two-factor authentication is deactivated. Leaving him the field free.
Meta corrects the shot
The facts date back to September 2022, but it took until December for Meta to put an end to the problem. Asked by TechCrunch, a spokesperson for the social media giant said that at the time of the bug, the Accounts Center was still in a small-scale public test phase. In other words, the risks were minimal. Moreover, the man specifies that there is no proof of exploitation of the bug. Meta reportedly checked for authentication feature activity and no spikes were observed. Which tends to prove that everything is normal.
Either way, Meta gets away with it. And Gtm Mänôz too, since he collected a bonus of 27,000 dollars for his contribution. Still, if one person found the flaw, others could follow. And not necessarily with the best intentions. Also, the group’s track record on security and privacy is not so good. Meta may blow, but the damage is done and user mistrust is unlikely to diminish.