A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number.
Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
With a victim’s phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make.
Once the attacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
https://techcrunch.com/
Digital twins — virtual representations of actual systems — have become an important component in how engineers and analysts build, visualize and operate AI projects, network security and other complicated architectures that might have a number of components working (or malfunctioning as the case may be) in tandem. Today, a startup called Forward Networks — which has […]
Apple on Monday released a new version of the iPhone and iPad’s operating systems to fix a vulnerability that hackers were exploiting in the wild, meaning they were taking advantage of it to hack Apple devices. On the security update page, Apple wrote that it “is aware of a report that this issue may have […]
Cloud computing giant Rackspace has confirmed hackers accessed customer data during last month’s ransomware attack. The attack, which Rackspace first confirmed on December 6, impacted the company’s hosted Exchange email environment, forcing the web giant to shut down the hosted email service following the incident. At the time, Rackspace said it was unaware “what, if […]
Leave a Reply