• btc = $66 566.00 2 366.36 (3.69 %)

  • eth = $3 491.25 82.08 (2.41 %)

  • ton = $7.34 0.04 (0.50 %)

  • btc = $66 566.00 2 366.36 (3.69 %)

  • eth = $3 491.25 82.08 (2.41 %)

  • ton = $7.34 0.04 (0.50 %)

31 Jan, 2023
1 min time to read

Gtm Mänôz, a security researcher from Nepal, has recently found out that the number of attempts to enter a two-factor code when logging into an account in the Meta Account Center was unlimited.

Knowing a victim`s phone number, an attacker could input it in the Meta Account Center and get that number linked to his/her Facebook account. Meta did not set an upper limit to the number of attempts, so, the 2FA SMS code would be brute forced. The attacker could set a program or script to get the code.

As soon as the hacker picked the right code, the victim`s phone number would become linked to the hacker`s Facebook account.

Gtm Mänôz commented:

"Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number"

Meta`s representative Gabby Curtis commented that no overuse of that feature was detected; the bug has been fixed. Gtm Mänôz was awarded, Meta paid him $27200.