Meta’s 2FA security protections could have been switched off with ease

>

It wasn’t until September 2022 that a bug in Meta’s centralized account management system allowed threat actors to be removed 2FA protection for Facebook accounts simply by knowing the phone number associated with an account.

According to a Medium mail (opens in new tab)(through Tech crunch (opens in new tab)), security researcher Gtm Mänôz discovered that from the Meta Account Center (opens in new tab) account management system designed to link Facebook and Instagram accounts, an attacker could enter a victim’s phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victim’s account, because there is no set upper limit on attempts to enter a code.