Facebook and Instagram users fell victim to account takeover attacks due to a bug in a new centralized system created by Meta.
The bug was discovered by Nepali security researcher Gtm Mänôz, who found that the MetaAccounts Center, which helps users link all their MetaAccounts, increased the number of two-factor authentication (2FA) login attempts. But no limit has been set. Code
An attacker could exploit this vulnerability by using a victim’s phone number to link that number to their Facebook account, before attempting to brute-force a 2FA code.
With no upper limit on the number of attempts, the attacker could eventually guess the correct code, thereby linking the victim’s phone number to their own Facebook account.
This will disable the victim’s 2FA protection and send a notification to the victim that their phone number has been linked to another account.
Facebook and Instagram users are advised to check their 2FA settings and ensure that their phone number is properly linked to their account to prevent any potential account takeover attacks. .
