Recently, META* introduced a centralized entry system so that it was easier for users of Instagram* and Facebook* to manage their accounts. Unfortunately, when setting up a two -factor authentication system (2FA), the developers overlooked the glaring error.
A novice bughanter from Nepal named Gim Menes studied the new interface of the Center for META accounts and noticed that in the process of binding the Facebook and Instagram accounts, the above page of the center of accounting records allows users to connect their phone number with the META account. It is enough to enter the phone and six -digit code 2FA.
Then Menke found that when entering the wrong code, the system asks to re -introduce it, and does not send a new one. Moreover, there were no restrictions on the number of unsuccessful attempts to enter this code.
Then Menke organized Buborsataku on the authorization page and successfully selected a two-factor authentication code. Thus, you can tie any existing phone number to your profile.
It is also interesting that after the number is binding to the META account, from the existing Facebook or Instagram account, the phone number was displayed, and two -factor authentication was turned off. Disconnect 2FA dramatically reduces the level of account security. To get into such an account to attackers is much faster and easier.
Facebook notification about the shutdown of 2FA and the tossing of the phone number
“In fact, the greatest effect when using this vulnerability is the disconnection of a configured two -factor authentication using the victim’s phone number,” Menz said.
In September, Meta corrected the vulnerability, even before public publicity. Nobody managed to take advantage of her except Meneis himself. Despite the not very serious nature of the vulnerability, the newly -made Baghanter was awarded with a generous payment of $ 27 thousand. Apparently, META representatives decided to motivate other novice specialists in the field of cybersecurity with this story.
* META and the company and Facebook products are recognized as extremist organizations, their activities are prohibited in the territory of the Russian Federation.