Is Facebook's Two-Factor Authentication Bugged In Another Identity Management Issue?

In the latest mind-boggling revelation of a possible identity management flop, a hacker has discovered a bug that allows anyone to bypass Facebook's two-factor authentication (2FA).

Meta created a bug in a new centralized system to enable users to manage their logins for Facebook and Instagram.

Courtesy of this bug, malicious hackers are now able to switch off an account’s two-factor protections just by knowing their phone number. 

A security researcher from Nepal, Gtm Mänôz, discovered how Meta failed to set up a limit of attempts when a user entered the two-factor code as the cause.

The code is used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook, Whatsapp, and Instagram.

With this development, all an attacker needs is a victim’s phone number with which they can go to the centralized accounts centre, enter the same number and link that number to their own Facebook account, and then brute force the two-factor SMS code.

This was the key step because there was no upper limit to the number of attempts someone could make.

Thus, once the hacker got the code right, the victim’s phone number would be redirected to the attacker’s Facebook account. 

Note that with this scenario, a successful attack would still result in Meta sending the victim a message, announcing their two-factor was disabled because their phone number got linked to someone else’s account.

“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” said Mänôz.

A screenshot of an email sent by Meta to a user says: "We wanted to let you know that your phone number was registered and verified by another person on Facebook."

It is an email from Meta to an account owner telling them that their two-factor protections have been switched off.

Facebook's Compromised 2FA

At this point, theoretically, an attacker could try to take over the victim’s Facebook account just by phishing for the password, given that the target didn’t have two-factor enabled anymore.

Mänôz found the bug in the Meta Accounts Centre last year and reported it to the company in mid-September.

Meta fixed the bug a few days later and paid Mänôz $27,200 for reporting the bug.

Meta spokesperson, Gabby Curtis, was recently quoted as saying that at the time of the bug, the login system was still at the stage of a small public test. 

Curtis also said that Meta’s investigation after the bug was reported found that there was no evidence of exploitation in the wild and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.