Your Facebook 2FA protection was briefly at risk

Two-factor authentication (2FA) is often marketed to consumers as one of the strongest tools for protecting your digital life, adding an extra layer of security on top of your password. However, 2FA isn’t foolproof, as some loopholes may occasionally allow cybercriminals to get around this security measure. One such security flaw was recently spotted in Meta’s privacy control hub, which could have allowed hackers to disable yourFacebook account’s 2FA protection.

The hack was uncovered by Nepalese security researcher Gtm Mänôz, who brought it to Meta’s attention in September of last year. It was presumably an honest oversight by Meta engineers when they created theAccounts Center feature, which was unveiled several days ago as a centralized hub where users can access their settings across Meta’s apps, such as Facebook and Instagram.

4

Mänôz’s findings revealed that hackers could have used the bug to sneak past authentication protections using brute force attacks (viaTechCrunch). The hack isn’t rocket science: bad actors who know the phone number you use for authentication could use it to link it to their own account, removing it from your Facebook account.

While would-be hackers are unlikely to have access to a six-digit authentication code sent to your phone number, the bug could have allowed them to guess that code multiple times until they got it right. According to the researcher, this is due to Meta failing to set an upper limit for the number of attempts that users can make when entering the one-time code. Worse, brute-force methods could have resulted in your account’s 2FA protection being completely disabled.

Google Pixel 10 held up against some pink flowers

Fortunately, Meta fixed the issue in December, a few months after receiving Mänôz report (for which he received a $27,200 bug bounty). In a statement to TechCrunch, Meta spokesperson Gabby Curtis explained that the bug was spotted during a small public test. The company has assured the public that there’s no evidence the bug was exploited in the wild before a fix was released.

Seeing as Meta has had a fair share ofsecurity and privacy problems involving its suite of appsin recent years, the most recent security loophole—albeit fixed—might give people another reason to be skeptical about the features it releases.

How to force your phone to use LTE or 5G thumbnail

We just learned a little bit more about Light No Fire in a video about the Voyagers update for No Man’s Sky

Free screen and battery repairs inbound

Samsung Galaxy S24 FE laying on a rock

It’s never been cheaper

No more excuses

Facebook logo against a wood fence

Breaking language barriers, one feed at a time

Get 14 ports for $170