A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number.
Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
With a victim’s phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make.
Once the attacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
https://techcrunch.com/
The FBI accused two groups of North Korean government hackers of carrying out last year’s heist of $100 million in crypto stolen from a company that allows users to transfer cryptocurrency from one blockchain to another. On Monday, the FBI announced that the Lazarus Group and APT38 — two groups linked to the North Korean government by both cybersecurity […]
Pour one out for Windows 7, the decade-old operating system that today reached the end of the security line. Some three years after Microsoft called time on mainstream support of Windows 7, the technology giant will no longer provide security updates, leaving the remaining users the option to upgrade to a newer operating system or […]
Hawk AI, a German company developing anti-money laundering (AML) and tangential fraud prevention smarts for financial institutions, has raised $17 million in a Series B round of funding. Prior to now, Hawk AI had raised $10 million, and with a fresh $17 million in the bank, the company said that it plans to bolster its product […]
Leave a Reply