Your subscription could not be saved. Please try again.
Your subscription has been successful.
A recent bug in Meta Facebook and Instagram proves you cannot always trust a password or two-factor authentication (2FA) to keep your private data, pictures, and content secure.
A problem with Meta’s Instagram code was discovered by a bug bounty hunter that might have allowed a hacker to perform brute-force assaults and get beyond Facebook’s two-factor authentication (2FA).
Also known as Multi-factor authentication (MFA) is a security process that requires multiple methods of authentication from independent categories of authentication methods, to verify the user’s identity for a login or other transaction. This provides a higher level of security than traditional single-factor authentication (such as a password only). Examples of factors include something the user knows (e.g. password), something the user has (e.g. phone), and something the user is (e.g. biometric data).
As we all know simple password security is not great
So, two-factor authentication is meant to protect us right? That’s assuming it’s coded properly without flaws
A security researcher made the initial discovery that a user could link their Facebook and Instagram accounts by entering a mobile number connected to the Facebook account that had already been verified. Facebook generates a one-time code after the user enters their cellphone number to confirm their identification.
However, a threat actor may be able to generate infinite bot traffic to launch a brute-force attack to validate a one-time Facebook PIN to link the accounts, essentially getting around Facebook’s 2FA safeguards, because of a rate-limiting flaw on Instagram’s endpoint.
The research further stated that once inside the account, a hacker could completely cancel the SMS-based Facebook 2FA and skip the verification steps for both unknown and already-registered Facebook and Instagram accounts.
“If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from the victim’s account,” Mänôz wrote. “And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim’s account.”
Since then, Meta has corrected the problem, and as part of its bug bounty program, it awarded $27,000 to the researcher.
This case story perfectly highlights In general, it is difficult to guarantee complete privacy online. While some measures can be taken to increase privacy, such as using encryption and secure passwords, data can still be accessed or intercepted by malicious actors or through security breaches. It’s also important to note that many online services collect and store user data for various purposes, such as targeted advertising or performance optimization. So it is important to be mindful of the information shared online and to take steps to protect personal privacy.
If you have anything online that’s private, you want no one else to ever see. Think carefully about how and where you manage your data.
Sources
https://medium.com/pentesternepal/two-factor-authentication-bypass-on-facebook-3f4ac3ea139c
Free resources we provide are supported by you the community!
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Looking to book a program?
Questions, comments, concerns, send us an email! Or we are available on Messenger for Facebook and Instagram