Gtm Mänôz, a security researcher from Nepal, discovered the flaw when he discovered that the Meta Accounts Center, which enables users to link all of their Meta accounts, did not limit the number of times they could enter a two-factor authentication (2FA) code.
Before attempting to brute force the 2FA code, an attacker could have taken advantage of the vulnerability by linking a victim’s phone number to their own Facebook account.
The attacker could have figured out the right code after making as many attempts as they wanted, linking the victim’s phone number to their own Facebook account.
The victim’s 2FA protection would be disabled as a result, and they would be informed that their phone number had been linked to another account.
Users of Facebook and Instagram should check their 2FA settings and make sure their phone number is properly linked to their accounts to prevent account takeovers.
