A cybersecurity researcher named Gtm Mänôz from Nepal uncovered a bug in Meta Platforms’ recently launched account center that allowed him to disable the two-factor authentication (2FA) of any account that he knew the phone number of.
The bug worked as follows according to a report from TechCrunch. First, the hacker would try to link the victim’s phone number to their personal account by brute-forcing the SMS code. This was one of the weaknesses identified by Mänôz as Meta did not set a maximum limit for the number of attempts.
After the SMS code has been validated, the phone number of the victims will no longer be linked to their accounts, meaning that the 2FA will be automatically disabled. At this point, the hacker would only have to guess or steal the victim’s password by resorting to phishing tactics or other similar methodologies.
With 2FA disabled, the hacker would immediately access the account without having to go through any additional steps.
Meta Rewarded Mänôz for Uncovering the Flaw and Solved the Issue Last Year
Companies like Meta typically reward programmers who uncover this kind of weakness as they effectively save them from money losses and the reputation reputational damage that comes along with a cybersecurity breach.
Meta Platforms (META) was informed of the flaw in September last year and made the required adjustments. The firm paid the computer expert $27,200 for identifying the bug. The company stated that it was testing the feature back then and there was no evidence that the bug was exploited.
In late 2021, Facebook established mandatory two-factor authentication (2FA) for high-profile accounts to protect them from being targeted by phishing campaigns. Back then, the company enrolled over 1.5 million accounts in the program known as Facebook Protect and stated that 2FA was one of the most “underutilized” security measures on the internet.
Facebook also stated that less than 4% of its active users had set up 2FA for their accounts, meaning that they are highly exposed to phishing and other similar tactics that hackers use to steal passwords.
What is Two-Factor Authentication (2FA)? Is it Foolproof?
Two-factor authentication requires the use of a second access credential that changes every time the user attempts to log into the account. The second security code is typically sent to a registered e-mail address or phone number that only the legitimate user has access to and that eliminates the possibility of brute-forcing the password only to get access to the account.
By activating 2FA, hackers would be forced to get access to the e-mail account – which may also have 2FA activated – or they would have to clone the victim’s SIM card to be able to view the SMSs their phone receives.
This increases the complexity of the task for cybercriminals and typically discourages them from pursuing the victim.
Lately, other forms of 2FA have been appearing such as apps that are installed on the user’s phone as a security checkpoint once a login attempt occurs. A notification is sent to the phone whenever the user tries to access the account and the attempt can easily be authorized by providing confirmation of its legitimacy on the registered device.
Moreover, some apps have opted to use fingerprints as the second authentication element as they cannot be replicated unless the hacker somehow took a print of the person’s hand – quite a difficult stunt to pull off.
Even though 2FA is not entirely foolproof, it is one of the best ways to protect user accounts from being accessed by unauthorized parties. Security experts indicate that it takes too much effort from a hacker to bypass this kind of tool and they would only undertake such a complex task if they believe that the reward far exceeds the cost of carrying out an orchestrated attack on the victim.
Other Related Articles: