Connect with us

Hi, what are you looking for?

The American GeniusThe American Genius

Social Media

Loophole allowed anyone to bypass Facebook 2FA, Meta confirms

Meta seeks to calm fears after confirming they’ve awarded a hacker for discovering a bug that allowed anyone to bypass 2FA on Facebook.

facebook 2FA

Two-Factor Authentication is a security measure that is supposed to vastly improve one’s chances of avoiding erroneous logins. Unfortunately, Meta’s version of this measure recently proved to do just the opposite–at least in theory.

Meta’s Two-Factor Authentication (2FA) functions like any other. To log in, users must provide a phone number to which a verification code is sent, enter the code when prompted, and then enter their password.

This should prevent bad actors from taking over a Facebook or Instagram account because, even if they do have a user’s login details, they most likely don’t have physical (or virtual) access to the prospective victim’s phone.

But, as reported by TechCrunch, Meta’s 2FA system had a potentially fatal flaw that allowed anyone to turn off 2FA for another user, making account access one step easier.

The bug was discovered by a Nepalese security researcher named Gtm Mänôz, who has since been compensated $27,000 for his find by Meta.

Advertisement. Scroll to continue reading.

The bug itself resulted from the simple fact that Meta did not put an upper limit on the number of times someone could enter a 2FA code, which means that an attacker could–after adding a victim’s phone number to their own account–use brute force attacks to guess the 2FA code (which requires six digits) in their account settings.

Upon successful bypass of the 2FA system, the feature could then be turned off, and the attacker would be a simple password phishing attempt away from gaining access to the user’s Meta account.

Admittedly, the idea of brute-forcing a six-digit 2FA code is a bit lofty, and account access wouldn’t be guaranteed. However, the existence of this bug should concern anyone who considers themselves even mildly security-conscious.

For their part, Meta confirmed that the bug has been fixed; they also said that the 2FA system in question had not been rolled out to the general public at the time at which Mänôz discovered the bug, following up with data that shows no one was “abusing” the unlimited 2FA attempt exploit in the relatively small test pool of people who did have access to it.

Advertisement. Scroll to continue reading.

Jack Lloyd has a BA in Creative Writing from Forest Grove's Pacific University; he spends his writing days using his degree to pursue semicolons, freelance writing and editing, oxford commas, and enough coffee to kill a bear. His infatuation with rain is matched only by his dry sense of humor.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.



Tech News

With Twitter/X becoming more unfriendly to the general user, many are looking for an alternative - but Meta's Threads may not be it either.

Tech News

Mark Zuckerberg believes the Quest Pro could replace laptops and PCs. This leaves many folks asking the age-old question, “Are we there yet?”

Tech News

Meta has made grand claims of transparency and ethics with their artificial intelligence, LLama, but some famous authors are challenging that.

Business Entrepreneur

Creating ads can be a headache, but Meta is hoping to bring forth generative AI that can create advertising with a few short descriptions.


The American Genius is a strong news voice in the entrepreneur and tech world, offering meaningful, concise insight into emerging technologies, the digital economy, best practices, and a shifting business culture. We refuse to publish fluff, and our readers rely on us for inspiring action. Copyright © 2005-2022, The American Genius, LLC.