News Show

Facebook Password Flaw - Now Fixed

A recent bug in Meta Facebook and Instagram proves you cannot always trust a password or two-factor authentication (2FA) to keep your private data, pictures, and content secure.

A problem with Meta’s Instagram code was discovered by a bug bounty hunter that might have allowed a hacker to perform brute-force assaults and get beyond Facebook’s two-factor authentication (2FA).

Also known as Multi-factor authentication (MFA) is a security process that requires multiple methods of authentication from independent categories of authentication methods, to verify the user’s identity for a login or other transaction. This provides a higher level of security than traditional single-factor authentication (such as a password only). Examples of factors include something the user knows (e.g. password), something the user has (e.g. phone), and something the user is (e.g. biometric data).

As we all know simple password security is not great

  • Weak Passwords: Use easily guessable passwords like “123456” or “password”.
  • Reuse of Passwords: Using the same password across multiple accounts, so if one password is compromised, all accounts are at risk.
  • Phishing: Trick users into revealing their passwords through fake emails or websites.
  • Password Database Breaches: Hackers can steal passwords that are stored in a database.
  • Brute Force Attacks: Guessing passwords through automated software trying multiple possibilities.
  • Man-in-the-Middle Attacks: Attackers intercept passwords during transmission, for example, over an unsecured network.
  • Key Loggers: Malware that records every keystroke on a computer, including passwords.

So, two-factor authentication is meant to protect us right? That’s assuming it’s coded properly without flaws

A security researcher made the initial discovery that a user could link their Facebook and Instagram accounts by entering a mobile number connected to the Facebook account that had already been verified. Facebook generates a one-time code after the user enters their cellphone number to confirm their identification.

However, a threat actor may be able to generate infinite bot traffic to launch a brute-force attack to validate a one-time Facebook PIN to link the accounts, essentially getting around Facebook’s 2FA safeguards, because of a rate-limiting flaw on Instagram’s endpoint.

The research further stated that once inside the account, a hacker could completely cancel the SMS-based Facebook 2FA and skip the verification steps for both unknown and already-registered Facebook and Instagram accounts.

“If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from the victim’s account,” Mänôz wrote. “And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim’s account.”

Since then, Meta has corrected the problem, and as part of its bug bounty program, it awarded $27,000 to the researcher.

This case story perfectly highlights In general, it is difficult to guarantee complete privacy online. While some measures can be taken to increase privacy, such as using encryption and secure passwords, data can still be accessed or intercepted by malicious actors or through security breaches. It’s also important to note that many online services collect and store user data for various purposes, such as targeted advertising or performance optimization. So it is important to be mindful of the information shared online and to take steps to protect personal privacy.

If you have anything online that’s private, you want no one else to ever see. Think carefully about how and where you manage your data.

Sources

https://medium.com/pentesternepal/two-factor-authentication-bypass-on-facebook-3f4ac3ea139c

https://www.facebook.com/BugBounty/posts/pfbid02k44K9oS5TbYnqTyMqQabnjqusmbtdHkEMPD49gXmfUppQF5ExdTrvrBSSUXMdw2Ql?_rdc=2&_rdr

Support The White Hatter Resources

Free resources we provide are supported by you the community!

Lastest on YouTube
Latest Podcast Episode
Latest Blog Post
The White Hatter Presentations & Workshops

Ask Us Anything. Anytime.

Looking to book a program?

Questions, comments, concerns, send us an email! Or we are available on Messenger for Facebook and Instagram

Your subscription could not be saved. Please try again.
Your subscription has been successful.

The White Hatter Newsletter

Subscribe to our newsletter and stay updated.

We use Sendinblue as our marketing platform. By Clicking below to submit this form, you acknowledge that the information you provided will be transferred to Sendinblue for processing in accordance with their terms of use