Connect with us

Hi, what are you looking for?

The American GeniusThe American Genius

Social Media

Loophole allowed anyone to bypass Facebook 2FA, Meta confirms

Meta seeks to calm fears after confirming they’ve awarded a hacker for discovering a bug that allowed anyone to bypass 2FA on Facebook.

facebook 2FA

Two-Factor Authentication is a security measure that is supposed to vastly improve one’s chances of avoiding erroneous logins. Unfortunately, Meta’s version of this measure recently proved to do just the opposite–at least in theory.

Meta’s Two-Factor Authentication (2FA) functions like any other. To log in, users must provide a phone number to which a verification code is sent, enter the code when prompted, and then enter their password.

This should prevent bad actors from taking over a Facebook or Instagram account because, even if they do have a user’s login details, they most likely don’t have physical (or virtual) access to the prospective victim’s phone.

But, as reported by TechCrunch, Meta’s 2FA system had a potentially fatal flaw that allowed anyone to turn off 2FA for another user, making account access one step easier.

Advertisement. Scroll to continue reading.

The bug was discovered by a Nepalese security researcher named Gtm Mänôz, who has since been compensated $27,000 for his find by Meta.

The bug itself resulted from the simple fact that Meta did not put an upper limit on the number of times someone could enter a 2FA code, which means that an attacker could–after adding a victim’s phone number to their own account–use brute force attacks to guess the 2FA code (which requires six digits) in their account settings.

Upon successful bypass of the 2FA system, the feature could then be turned off, and the attacker would be a simple password phishing attempt away from gaining access to the user’s Meta account.

Admittedly, the idea of brute-forcing a six-digit 2FA code is a bit lofty, and account access wouldn’t be guaranteed. However, the existence of this bug should concern anyone who considers themselves even mildly security-conscious.

For their part, Meta confirmed that the bug has been fixed; they also said that the 2FA system in question had not been rolled out to the general public at the time at which Mänôz discovered the bug, following up with data that shows no one was “abusing” the unlimited 2FA attempt exploit in the relatively small test pool of people who did have access to it.

Advertisement. Scroll to continue reading.

Jack Lloyd has a BA in Creative Writing from Forest Grove's Pacific University; he spends his writing days using his degree to pursue semicolons, freelance writing and editing, oxford commas, and enough coffee to kill a bear. His infatuation with rain is matched only by his dry sense of humor.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.



Business Marketing

Everyone knows Meta is always keen to jump on any social trend, but a decentralized social media experience is definitely out of left field.

Business News

As Zuckerberg calls for reviews and notes "cutting projects", many Meta employees fear that more mass layoffs are on the horizon once again.

Social Media

Meta Oversight Board has answered the call to review nudity policies across Meta properties, especially when it comes to breasts - why?

Business Marketing

Google and Meta have dominated the US's ad revenue since 2014, but in 2022, that started to fade. Will it continue?

The American Genius is a strong news voice in the entrepreneur and tech world, offering meaningful, concise insight into emerging technologies, the digital economy, best practices, and a shifting business culture. We refuse to publish fluff, and our readers rely on us for inspiring action. Copyright © 2005-2022, The American Genius, LLC.