Skip to main content

Meta’s Account Center came with a 2FA-defeating bug

Meta’s Account Center came with a 2FA-defeating bug

/

The problem’s been fixed, but a hacker could’ve potentially used it to strip an account’s extra protection.

Share this story

Meta logo in white on red background
Illustration by Nick Barclay / The Verge

Meta’s Accounts Center feature had a bug that let hackers brute force SMS two-factor authentication, allowing them to bypass the additional protection (via TechCrunch). The vulnerability, which Meta says it fixed in December, was reported by Nepalese security researcher Gtm Mänôz, who detailed the exploit in a Medium post earlier this month.

It was a significant find, as Meta seems to be putting more and more focus on its Accounts Center feature, letting you manage settings and security information from it, as well as use it to switch to your other accounts. According to Mänôz, the attack was relatively simple; if you knew the phone number the other person used for two-factor authentication, you could link it to your own account, which would remove it from the victim’s.

The thing that’s supposed to prevent this is a six-digit authentication code that gets sent to the other person’s account or phone number, which you don’t have access to. (If you did, you wouldn’t need an exploit.) The bug Mänôz found, however, let an attacker guess that code however many times they wanted — set a program or script to do that task, and it would eventually guess right.

In the worst-case scenario (the method had different effects based on whether the person had fully or partially confirmed their contact info), this would entirely turn off 2FA on the victim’s account. The fact that it was running through Account Center also defeated some other security measures; according to Mänôz’s post, Facebook wouldn’t usually let you add an already-registered email address to your account, but this method bypassed that.

Meta seems to have fixed the issue relatively quickly. Mänôz reported it on September 14th, 2022, and it was dealt with by mid-October after the company’s security team actually figured out how to test it. (According to Mänôz, the Accounts Center hadn’t rolled out for the team’s accounts, and it disappeared from Mänôz’s account after he gave them the credentials so they could test with it.) Meta ended up paying Mänôz a $27,200 bug bounty for reporting the issue. Meta wouldn’t provide an on-the-record statement about the bug’s impact, but spokesperson Gabby Curtis told TechCrunch that it was caught during a small public test, and that there didn’t appear to be evidence that it was exploited before being fixed.

Correction January 30th, 3:50 PM ET: A previous version of this article stated the bug affected email-based two-factor authentication, but Meta spokesperson Gabby Curtis says it only impacted SMS-based 2FA. We regret the error.

Update January 30th, 3:50 PM ET: Updated to note the bug doesn’t appear to have been exploited.