Two-factor authentication (2FA) is often marketed to consumers as one of the strongest tools for protecting your digital life, adding an extra layer of security on top of your password. However, 2FA isn't foolproof, as some loopholes may occasionally allow cybercriminals to get around this security measure. One such security flaw was recently spotted in Meta's privacy control hub, which could have allowed hackers to disable your Facebook account's 2FA protection.
The hack was uncovered by Nepalese security researcher Gtm Mänôz, who brought it to Meta's attention in September of last year. It was presumably an honest oversight by Meta engineers when they created the Accounts Center feature, which was unveiled several days ago as a centralized hub where users can access their settings across Meta's apps, such as Facebook and Instagram.
Mänôz's findings revealed that hackers could have used the bug to sneak past authentication protections using brute force attacks (via TechCrunch). The hack isn't rocket science: bad actors who know the phone number you use for authentication could use it to link it to their own account, removing it from your Facebook account.
While would-be hackers are unlikely to have access to a six-digit authentication code sent to your phone number, the bug could have allowed them to guess that code multiple times until they got it right. According to the researcher, this is due to Meta failing to set an upper limit for the number of attempts that users can make when entering the one-time code. Worse, brute-force methods could have resulted in your account's 2FA protection being completely disabled.
Fortunately, Meta fixed the issue in December, a few months after receiving Mänôz report (for which he received a $27,200 bug bounty). In a statement to TechCrunch, Meta spokesperson Gabby Curtis explained that the bug was spotted during a small public test. The company has assured the public that there's no evidence the bug was exploited in the wild before a fix was released.
Seeing as Meta has had a fair share of security and privacy problems involving its suite of apps in recent years, the most recent security loophole—albeit fixed—might give people another reason to be skeptical about the features it releases.