As late as September 2022, a bug in Meta’s centralized account management system allowed threat actors to remove 2FA protections for Facebook accounts simply by knowing the phone number attached to an account.
According to a Medium post (opens in new tab), (via Techcrunch (opens in new tab)), security researcher Gtm Mänôz found that, from the Meta Accounts Center (opens in new tab) account management system designed to link Facebook and Instagram accounts, an attacker could enter a victim’s phone number, link the number to their own Facebook account, and then brute force the 2FA SMS code for the victim’s account, thanks to there being no set upper limit for code entry attempts.
Following a successful attempt, victims would have their 2FA disabled, leaving their accounts only secured by a password, which, following a phishing or social engineering attack, could easily be retrieved by a dedicated threat actor.
In his Medium post, Mänôz claimed to have found the bug in preparation for BountyCon, a security researcher conference co-hosted by Meta and Google, simply by prodding “a new looking UI” within Meta Accounts Center.
He also claimed that, because the endpoints that verify e-mail addresses and phone numbers across Instagram and Facebook accounts were the same, verification for contact points that had already been attached to accounts could be bypassed, making the bug possible.
Though it’s unknown just how long the bug was active within the Facebook portion of Meta Account Center’s 2FA system, a fix appeared after just over a month, with Mänôz submitting a bug report to Meta on September 14, and a fix being confirmed to him on October 17.
Meta itself mentioned the bug in the 2022 recap of its Bug Bounty Program (opens in new tab), noting that Mänôz was awarded $27,200 for his efforts.
