A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number.
Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
With a victim’s phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make.
Once the attacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
https://techcrunch.com/
The infrastructure behind Hive, one of the most prolific ransomware operations, has been seized by law enforcement agencies in the United States and Europe. Hive saw its dark web portal seized as part of a coordinated law enforcement action carried out by the U.S. Department of Justice, the FBI, Secret Service and several European government agencies, […]
Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy. The app economy in 2023 hit a few snags, as consumer spending last year dropped for the first time by 2% to $167 billion, according to data.ai’s “State of Mobile” report. However, […]
CircleCI, a company whose development products are popular with software engineers, has urged users to rotate their secrets following a breach of the company’s systems. The San Francisco–headquartered DevOps company said in an advisory published late Wednesday that it is currently investigating the security incident — its most recent in recent years. “We wanted to make you […]
Leave a Reply