When we protect access to an online account with 2FA, with two-step verification, we hope that a guarantee will be added to prevent other people from accessing our account even if they know the password.
This is how two-step verification works in general, since we receive an SMS, or a code with an app, so that only we can enter banks, social networks and others.
The point is, the system Meta created to manage Facebook logins featured a bug that could have allowed hackers to disable two-factor protections on an account just by knowing its phone number.
This has been uncovered by the security researcher from Nepal, Gtm Mänôz, who discovered that Meta did not establish a limit of attempts when the two-factor code was entered.
In this way, with a victim’s phone number, a hacker could link that number to their own Facebook account and then break the two-factor code via SMS.
Once someone gets the code, and links your account, the double factor is disabled.
Mänôz reported the bug to Meta in September and the company fixed it soon after, earning him a bounty of more than $27,000.
There is no indication that anyone has been attacked by this vulnerability, and the issue is now fixed.
There are details about the problem at this link.
