Facebook exposed a security vulnerability that can be brute-forced to bypass two-factor authentication

Security researchers from Nepal recently discovered a new vulnerability in the login system of Meta's Facebook, Instagram and other applications, allowing anyone to bypass Facebook's two-factor authentication.

"Anyone can exploit this vulnerability to bypass SMS-based two-factor authentication if they know the recipient's phone number," researcher Gtm Mänôz told TechCrunch.

Mänôz said the vulnerability existed in Meta Group's unified login system, where Meta did not set an attempt limit when users entered the two-factor code used to log into their accounts.

This means that all an attacker needs to know is the target's phone number or email address, and they can brute force the two-factor SMS code. Once the attacker obtains the correct verification code, the attacker can then launch subsequent attacks.

It is understood that even after the attacker successfully attacks, Meta will remind the user that the account has been linked to someone else's account, so two-factor authentication is disabled.

Mänôz reported the bug to the company last year, and Meta has now fixed the vulnerability. Meta eventually paid him $27,200 (currently about 184,000 RMB) for his discovery.