Researcher finds bug that can allow hackers to bypass Facebook, Instagram 2FA

Gtm Mänôz, a security researcher from Nepal, has discovered a critical flaw in Facebook's and Instagram's two-factor authentication (2FA) that can allow hackers to bypass the security measures. Hackers with access to a target's phone number might have used the 2FA bypass problem to disable the security measure. 

The researcher also discovered that the new Meta Accounts Centre, which enables users integrate all their Meta accounts, including Facebook and Instagram, did not have a restriction on attempts when users input the two-factor code needed to log in to their accounts. 

According to TechCrunch report, an attacker could force into victim's two-factor SMS code by going to Facebook's centralised accounts centre, entering the victim's phone number, linking that number to their own Facebook account, and then trying to reset the code.  

Once the hacker entered the correct code, their Facebook account became linked with the victim's phone number. In the event of a successful attack, Meta will still notify the target that their two-factor authentication has been deactivated because their phone number has been associated with another account. 

Meta allowed users to verify their Instagram and Facebook accounts with a six-digit code given through email or SMS. However, a web host, such as Burp Suite, can intercept the request and change the numbers to anything else. 

The researcher first reported the issue to Meta on September 14, which was resolved on October 17. Finally, the company paid out the $27,200 reward for what they considered to be one of the most significant flaws discovered in 2022, according to a blog post on Medium by Gtm Mänôz. 

Tech Crunch quoted a spokesman for Meta, Gabby Curtis, as claiming that the login mechanism was still in a beta phase at the time of the problem. After looking into the reported flaw, Meta discovered that it had not been exploited in the wild, and that the company had not noticed a rise in demand for the affected functionality.