New Security Threat For Meta As Hacker Discovers Bug In Centralized System For User Logins

A bug was recently discovered by security researcher Gtm Mänôz in Meta’s centralized system that the company created for user logins.

The system was designed to align logins across apps such as Facebook and Instagram which may have allowed various hackers to turn off two-factor verification protections by having users’ phone numbers.

The news comes to us thanks to one security researcher who hails from Nepal. He realized that the firm didn’t outline any limit across attempts when users put in two-factor codes that may be used to access accounts on Meta’s new Accounts Center.

This assists users in linking all of their accounts including those seen across Instagram and Facebook.

Using just one victim’s phone number, the attacker enters the designated account center, puts in phone numbers, and links that number to the respective account seen on Facebook. This would further allow for the setup of the SMS code that’s powered with two-factor technology.

Experts deem this to be the quintessential step needed as no upper limit was present in terms of the number of attempts that anyone could make to gain access.

After an attacker gets the code correct, it used the victim’s respective number to link their count to the one belonging to the hacker on Facebook. And if successful, this would end up causing Meta to send a new message to victims, highlighting how the 2-factor technology has been disabled.

This had to do with the fact that their number ended up getting attached to another individual’s account.

The biggest impact over her has to do with revoking a person’s SMS-based 2-FA via simple strategies like just knowing what their phone number is.

At his particular point in time, attackers may try and take any victim’s account on Facebook into complete control by simply enabling phishing of passwords. This is provided the respective target did not have any 2FA technology enabled.

Thanks to the researcher from Nepal, who located the bug at the Accounts Center of Meta in the past year, the tech giant claims to have fixed that particular bug, just a few moments later. They even set out a hefty paycheck worth $27,000 as a reward to the researcher for their great efforts in this regard and for helping the tech giant out in terms of reporting.

A spokesperson for the company explained to TechCrunch that when such an attack was inevitable, Meta was still in the phase of testing out its new login systems via the likes of a small trial conducted publicly. It had not rolled out the actual feature and was waiting for the response.

In the same way, the spokesperson was seen mentioning how the researcher’s report also made them investigate the matter further. And that’s when it was found that no exploitation had taken place so far. Similarly, there was no major rise in terms of usage of those particular features that signal how no one, in particular, was actually abusing that.

Read next: Android Users Beware, Deceptive Reward Apps Are Making Rounds On Google Play Store
Previous Post Next Post