2FA or two-factor security (2FA) is frequently promoted to users as one of the best methods to safeguard your online identity, providing an additional layer of protection in addition to your password. However, 2FA isn’t completely foolproof since some vulnerabilities could sometimes allow hackers to get through the security measures.
???? A new issue of the Meta AI newsletter is heading to your inbox next week!
We're wrapping up the year with a look at some of our biggest breakthroughs, research you may have missed and a recap of what we shared at #NeurIPS2022.
Subscribe ⬇️
— AI at Meta (@AIatMeta) December 17, 2022
One of these security holes was discovered within Meta’s privacy controls center, that could have let hackers to block the protection of your Facebook account’s 2FA security.
The attack was discovered via Nepalese security expert Gtm Manoz who brought it to the attention of Meta in September the previous year. It could have been an error made of Meta developers when they developed their account Center feature that was revealed just a few days ago as a central hub from which users can view their settings across Meta’s applications including Facebook as well as Instagram.
Manoz’s research revealed that hackers may have exploited the flaw to get past authentication safeguards by employing the brute-force attack (via TechCrunch). The attack isn’t rocket science. Bad people who have access to the number you use to authenticate could be able to use it to connect to their own accounts to remove the account from Facebook.
Although hackers would-be hackers are unlikely to be able to access a six-digit code to authenticate your cell phone However, the flaw could have let them try to guess that code several times until they were right. The researcher believes that this could be because Meta not setting an upper limit on the number of times users could make to enter the code one time. In addition, brute-force techniques could result in the protection of 2FA for your account being disabled completely.
It was a blessing that Meta solved the bug in the month of December only a few months after it received the Manoz reports (for which he got a bug bounty of $27,200). In a statement sent to TechCrunch, Meta spokesperson Gabby Curtis stated that the bug was discovered during a brief public test. Meta has made it clear that there’s no evidence that this bug was exploited in open before the fix was issued.
As Meta has experienced its fair amount of privacy and security issues that have affected its suite of applications in recent times and the most recent security loophole, although fixed, may provide users with a reason to doubt the features it offers.