Two-Factor Authentication is a security measure that is supposed to vastly improve one’s chances of avoiding erroneous logins. Unfortunately, Meta’s version of this measure recently proved to do just the opposite–at least in theory.
Meta’s Two-Factor Authentication (2FA) functions like any other. To log in, users must provide a phone number to which a verification code is sent, enter the code when prompted, and then enter their password.
This should prevent bad actors from taking over a Facebook or Instagram account because, even if they do have a user’s login details, they most likely don’t have physical (or virtual) access to the prospective victim’s phone.
But, as reported by TechCrunch, Meta’s 2FA system had a potentially fatal flaw that allowed anyone to turn off 2FA for another user, making account access one step easier.
The bug was discovered by a Nepalese security researcher named Gtm Mänôz, who has since been compensated $27,000 for his find by Meta.
The bug itself resulted from the simple fact that Meta did not put an upper limit on the number of times someone could enter a 2FA code, which means that an attacker could–after adding a victim’s phone number to their own account–use brute force attacks to guess the 2FA code (which requires six digits) in their account settings.
Upon successful bypass of the 2FA system, the feature could then be turned off, and the attacker would be a simple password phishing attempt away from gaining access to the user’s Meta account.
Admittedly, the idea of brute-forcing a six-digit 2FA code is a bit lofty, and account access wouldn’t be guaranteed. However, the existence of this bug should concern anyone who considers themselves even mildly security-conscious.
For their part, Meta confirmed that the bug has been fixed; they also said that the 2FA system in question had not been rolled out to the general public at the time at which Mänôz discovered the bug, following up with data that shows no one was “abusing” the unlimited 2FA attempt exploit in the relatively small test pool of people who did have access to it.