A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number.
Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
With a victim’s phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make.
Once the attacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
https://techcrunch.com/
Victims of the MegaCortex ransomware can now recover their encrypted files for free, thanks to the release of a new file decryptor. The free decryptor was built by cybersecurity firm Bitdefender and the EU’s No More Ransom initiative in cooperation with the Zürich Cantonal Police, the Zürich Public Prosecutor’s Office and Europol, which in September […]
Ion Group, a Dublin-based software company that helps financial institutions automate their critical business processes, has been hit by a ransomware attack that forced several European and U.S. banks to revert to manual processes. The cyberattack, which TechCrunch learned about on Tuesday, affected Ion’s Cleared Derivatives division, which provides software for automating the trading lifecycle and the […]
The Housing Authority of the City of Los Angeles, or HACLA, has confirmed it is investigating a cybersecurity incident shortly after the LockBit ransomware gang claimed responsibility for a cyberattack on the agency. HACLA, which provides affordable housing to more than 19,000 low-income families across Los Angeles, was added to LockBit’s dark web leak site on […]
Leave a Reply