Revealed bug could lead to bypassing Facebook SMS-based 2FA

Gtm Mänôz, a security researcher from Nepal, has recently found out that the number of attempts to enter a two-factor code when logging into an account in the Meta Account Center was unlimited.

Knowing a victim`s phone number, an attacker could input it in the Meta Account Center and get that number linked to his/her Facebook account. Meta did not set an upper limit to the number of attempts, so, the 2FA SMS code would be brute forced. The attacker could set a program or script to get the code.

As soon as the hacker picked the right code, the victim`s phone number would become linked to the hacker`s Facebook account.

Gtm Mänôz commented:

"Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number"

Meta`s representative Gabby Curtis commented that no overuse of that feature was detected; the bug has been fixed. Gtm Mänôz was awarded, Meta paid him $27200.