>
It wasn’t until September 2022 that a bug in Meta’s centralized account management system allowed threat actors to be removed 2FA protection for Facebook accounts simply by knowing the phone number associated with an account.
According to a Medium mail (opens in new tab)(through Tech crunch (opens in new tab)), security researcher Gtm Mänôz discovered that from the Meta Account Center (opens in new tab) account management system designed to link Facebook and Instagram accounts, an attacker could enter a victim’s phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victim’s account, because there is no set upper limit on attempts to enter a code.
After a successful attempt, victims would have disabled their 2FA, leaving their accounts protected only with a password, which, after a phishing or social engineering attack, can be easily recovered by a dedicated threat actor.
In his Medium post, Mänôz claimed to have found the bug in preparation for BountyCon, a conference for security researchers co-hosted by Meta and Google, simply by offering “a new-looking user interface” within Meta Accounts Center.
He also claimed that because the endpoints verifying email addresses and phone numbers on Instagram and Facebook accounts were the same, verification for contact points already associated with accounts could be bypassed, enabling the bug.
While it’s not known how long the bug was active in the Facebook section of Meta Account Center’s 2FA system, a fix appeared after a little over a month. Mänôz submitted a bug report to Meta on September 14 and a fix was confirmed to him on October 17.
Meta itself mentioned the bug in the Summary 2022 of the Bug Bounty Program (opens in new tab)noting that Mänôz received $27,200 for his efforts.