A Error in two factor authentication system Facebook allowed cybercriminals to disable the mechanism and steal accounts on the platform with only the victims phone number. The error was discovered by an expert from Nepal. TechCrunch on Monday (30).
The issue affected Central de Contas da Meta, which was launched recently and made it possible to link all accounts on the platforms of the same user holding. According to security researcher Gtm Mänôz, the company did not place a limit on attempts to verify the authentication code sent to the registered number.
Therefore, the attacker only needed to know the target’s phone number, go to the login link system and associate the number with his own account, deactivating the extra protection. It may then attempt to obtain the target profile’s password through a phishing attack.
Mänôz said that deactivating the second protection factor was possible only because the limit of attempts to carry out the procedure was not defined. During its testing, the platform sent an email stating that the feature was no longer activated after the phone was linked to someone else’s account.
The fix has already been released
The flaw in Meta’s Account Center was discovered in mid-September last year. The researcher reported the vulnerability to the company at the time and received more than $27,000 in reward, equivalent to R$138,100 at current values.
The vulnerability was patched shortly after it was reported, and there is no evidence of malicious abuse as the feature was in beta at the time and was only available to a small percentage of users. The company also said that the bug only affects Facebook accounts.
Source: Tec Mundo
