Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Facebook Privacy Security

Hacker Finds Bug That Allowed Anyone To Bypass Facebook 2FA (techcrunch.com) 13

An anonymous reader quotes a report from TechCrunch: A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account's two-factor protections just by knowing their phone number. Gtm Manoz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.

With a victim's phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make. Once the attacker got the code right, the victim's phone number became linked to the attacker's Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else's account.

Manoz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a few days later, and paid Manoz $27,200 for reporting the bug. Meta spokesperson Gabby Curtis told TechCrunch that at the time of the bug the login system was still at the stage of a small public test. Curtis also said that Meta's investigation after the bug was reported found that there was no evidence of exploitation in the wild, and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.

This discussion has been archived. No new comments can be posted.

Hacker Finds Bug That Allowed Anyone To Bypass Facebook 2FA

Comments Filter:
  • by Virtucon ( 127420 ) on Tuesday January 31, 2023 @08:46AM (#63253467)

    This seems like a glaring hole.

    1) Get the Phone Number
    2) Link the number to your account
    3) Brute force via SMS
    4) Gain Access

    Throttling and restricting SMS attempts would seem too obvious and why would Meta allow someone else to register a phone number that was already
    registered?!?

    • Sounds like they found a new way to use Microsoft office....guessing. So yea, does sound creepily straight forward.

    • by bobby ( 109046 )

      You ask a great question. I've been horrified that phone numbers (and SMS) have become so integral to "security". UGH!!!

      Anyway, speculating, but one possibility is that more than one person could share a phone.

    • The answer is simply that security is not a concern that they would spend money on in advance, it is an expense that they want to minimize and only spend money on it when a situation comes up that forces them to.

    • Also note that it doesn't just "bypass" 2FA, it takes it over.

      Bypass makes it sound like it turns off the second factor, requiring them to also know your password. But of course it isn't that. The 2FA is a single alternate factor, that is tied to your phone number. The whole thing is as lie premised on the value of your personal information and the utility of a phone number as an ID number to identify and track a consumer.

      Things like throttling or data security make sense if you think that 2FA is a security

  • by hdyoung ( 5182939 ) on Tuesday January 31, 2023 @09:20AM (#63253539)
    a solid 6 months of salary, if they really want to incentivize people to come forward with bug reports. I suspect that the industry as a whole is secretly extremely unenthusiastic about independent bug hunters. They would prefer to be left alone. They dont really want people independently poking at their system for bugs. But offering zero dollars means that almost every hole will stream right into the criminal world.

    Multiply the bug bounty payouts by a factor of 5. The impact on Facebook's bottom line? Not even noticeable.
  • Just change all those federated log in buttons, scattered all over the web, to read "Log in *as anyone* with Facebook"!

  • Seriously, can we just stop now?

    I get companies like Facebook like it because it has the double advantage of being something people are already familiar with, and duping them into giving you their phone number, but seriously, can we just stop now?

    It is the absolute worst 2FA option.

    Clever hack though. They noticed details, and figured out how to abuse them. I kind of find something like this more impressive than something obviously more technical.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...