Hacker Discovers Bug that Allows Anyone Bypass Facebook 2FA

Once the attacker had the code correctly, the victim’s number was linked to the attacker’s Facebook account

Meta would still send a message to the victim if they were successful in their attack. It would say that their two-factor had been disabled because their phone number was linked to another account.

TechCrunch’s Manoz stated that revoking any SMS-based 2FA was the most impactful. He just needed to know the number.

The attacker could attempt to hack the victim’s Facebook account by simply phishing for their password. This is assuming that the victim doesn’t have two factors enabled.

Manoz discovered the bug within the Meta Accounts Center last summer and reported it to the company in mid-September. Meta corrected the bug within a few days and paid Manoz $27 200 for reporting it.

TechCrunch was informed by Gabby Curtis, a Meta spokesperson. At the time of the bug, the login system was still in the small-scale public testing phase. Curtis stated that Meta had not found any evidence of exploiting the bug in the wild and that Meta did not see any spikes in the use of the feature after it was reported. This would indicate that nobody was abusing it.