Hacker Spots Flaw That Bypasses Facebook 2FA

A security researcher from Nepal discovered a bug in Meta’s centralized system of logins for Facebook and Instagram, that could allow anyone to bypass Facebook’s two-factor authentication.


“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” hacker and researcher Gtm Mänôz told TechCrunch.

Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, notes Mänôz.

Using a victim’s phone number or email address, an attacker could go to the centralized accounts center, enter the victim’s phone number, and brute force the two-factor SMS code.

The victim’s phone number would become linked to the attacker’s Facebook account once he gets the code right.

A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.

Facebook email two factor 1 jpg

This would give the attacker a window to take over the victim’s Facebook account just by phishing for the password since the target didn’t have 2FA enabled anymore.

Mänôz reported the bug to the company last year, which was fixed by Meta a month later. The company ultimately paid the hacker $27,200 for reporting the flaw.