In the Account Summary Meta allows users to link their Facebook, Instagram, and Meta accounts, but the portal also had a serious security hole from the start. A hacker managed to circumvent the two-factor authentication (2FA for short) of Facebook accounts with little effort. All that was needed was the phone number of the target.
Gtm Mänôz, a security expert from Nepal, found that Meta has not set a limit for entering the 2FA code. After attempting to log in and sending the security code to the linked smartphone, an attacker has the opportunity to try out an unlimited number of codes. This as Bruteforce well-known method is one of the oldest tricks in the hacking trade and can actually be prevented very easily by locking the account after entering the wrong code several times.
However, since Meta did not take this security measure, Mänôz was ultimately able to simply guess the 2FA code and then link the phone number to another Facebook account. The hacked account is only protected by the regular password. After all: An e-mail informed the account owner about the relinking of the telephone number.
Gtm Mänôz
Mänôz discovered the vulnerability as part of a bug bounty program, and in September 2022 he passed his find on to Meta. The company fixed the vulnerability days later and rewarded Mänôz with a $27,200 reward. A meta spokeswoman said to Techcrunchthat the affected login system was still in a limited, public test at the time of the error. There is no evidence that abuse has taken place using this method.
Serious vulnerability puts Samsung Galaxy owners at risk – you should do this
