Facebook and Instagram users were left vulnerable to account takeover attacks due to a bug in a new centralized system created by Meta.
The bug was discovered by Nepalese security researcher, Gtm Mänôz, who found that the Meta Accounts Center, which helps users link all their Meta accounts, did not set a limit on the number of attempts made to enter a two-factor authentication (2FA) code.
An attacker could have taken advantage of the vulnerability by using a victim’s phone number to link that number to their own Facebook account, before attempting to brute force the 2FA code.