Meta’s Account Center came with a 2FA-defeating bug

Meta logo in white on red background
Illustration by Nick Barclay / The Verge

Meta’s Accounts Center feature had a bug that let hackers brute force SMS two-factor authentication, allowing them to bypass the additional protection (via TechCrunch). The vulnerability, which Meta says it fixed in December, was reported by Nepalese security researcher Gtm Mänôz, who detailed the exploit in a Medium post earlier this month.

It was a significant find, as Meta seems to be putting more and more focus on its Accounts Center feature, letting you manage settings and security information from it, as well as use it to switch to your other accounts. According to Mänôz, the attack was relatively simple; if you knew the phone number or email address the other person used for two-factor authentication, you could link it to your own…

Continue reading…