Hacker Finds Bug That Allowed Anyone To Bypass Facebook 2FA (techcrunch.com) 13
An anonymous reader quotes a report from TechCrunch: A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account's two-factor protections just by knowing their phone number. Gtm Manoz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
With a victim's phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make. Once the attacker got the code right, the victim's phone number became linked to the attacker's Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else's account.
Manoz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a few days later, and paid Manoz $27,200 for reporting the bug. Meta spokesperson Gabby Curtis told TechCrunch that at the time of the bug the login system was still at the stage of a small public test. Curtis also said that Meta's investigation after the bug was reported found that there was no evidence of exploitation in the wild, and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.
With a victim's phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make. Once the attacker got the code right, the victim's phone number became linked to the attacker's Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else's account.
Manoz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a few days later, and paid Manoz $27,200 for reporting the bug. Meta spokesperson Gabby Curtis told TechCrunch that at the time of the bug the login system was still at the stage of a small public test. Curtis also said that Meta's investigation after the bug was reported found that there was no evidence of exploitation in the wild, and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.
Re:Only "hackers" can do it (Score:5, Informative)
No? Stop invoking the bogeyman. "Hacker" has stopped meaning anything ages ago.
"Hacker" is a term used pretty consistently for decades. While it started meaning any skilled computer enthusiast, the general public has used the term to mean a skilled person who exploits computer systems to gain unauthorized access for quite some time.
From only reading the summary, it looks like calling those who could exploit this weakness "hackers" is an accurate use of the term. It appears not anyone can do this, only someone skilled in breaking into computer systems. Not that it matters much, since there are plenty of these people out there.
Re: (Score:1)
At hackaday they just add a note, "(the other kind)" when they use the word to describe people violating security for nefarious purposes.
And even though their neckbeards reach to their knees, nobody cares anymore.
Who is doing architectural reviews for Meta? (Score:3)
This seems like a glaring hole.
1) Get the Phone Number
2) Link the number to your account
3) Brute force via SMS
4) Gain Access
Throttling and restricting SMS attempts would seem too obvious and why would Meta allow someone else to register a phone number that was already
registered?!?
Re: Who is doing architectural reviews for Meta? (Score:1)
Sounds like they found a new way to use Microsoft office....guessing. So yea, does sound creepily straight forward.
Re: (Score:2)
You ask a great question. I've been horrified that phone numbers (and SMS) have become so integral to "security". UGH!!!
Anyway, speculating, but one possibility is that more than one person could share a phone.
Re: (Score:1)
The answer is simply that security is not a concern that they would spend money on in advance, it is an expense that they want to minimize and only spend money on it when a situation comes up that forces them to.
Re: (Score:1)
Also note that it doesn't just "bypass" 2FA, it takes it over.
Bypass makes it sound like it turns off the second factor, requiring them to also know your password. But of course it isn't that. The 2FA is a single alternate factor, that is tied to your phone number. The whole thing is as lie premised on the value of your personal information and the utility of a phone number as an ID number to identify and track a consumer.
Things like throttling or data security make sense if you think that 2FA is a security
bug bounty for something like that should be (Score:5, Interesting)
Multiply the bug bounty payouts by a factor of 5. The impact on Facebook's bottom line? Not even noticeable.
Simple Fix (Score:2)
Just change all those federated log in buttons, scattered all over the web, to read "Log in *as anyone* with Facebook"!
Stop using SMS for 2FA (Score:2)
Seriously, can we just stop now?
I get companies like Facebook like it because it has the double advantage of being something people are already familiar with, and duping them into giving you their phone number, but seriously, can we just stop now?
It is the absolute worst 2FA option.
Clever hack though. They noticed details, and figured out how to abuse them. I kind of find something like this more impressive than something obviously more technical.