Tech
Hacker finds bug that allowed anyone to bypass Facebook 2FA
|
|
A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number.
Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
With a victim’s phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make.
Once the attacker got the code right, the victim’s phone number became linked to the attacker’s Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else’s account.
“Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz told TechCrunch.
An email from Meta to an account owner telling them that their two-factor protections have been switched off. Image Credits: Gtm Mänôz (screenshot)
At this point, theoretically, an attacker could try to take over the victim’s Facebook account just by phishing for the password, given that the target didn’t have two-factor enabled anymore.
Mänôz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a few days later, and paid Mänôz $27,200 for reporting the bug.
Meta spokesperson Gabby Curtis told TechCrunch that at the time of the bug the login system was still at the stage of a small public test. Curtis also said that Meta’s investigation after the bug was reported found that there was no evidence of exploitation in the wild, and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.
January 30: Headline updated to reflect that only Facebook accounts were vulnerable to the bug; this was due to an editing error. ZW.
Updated with comment from Meta.
Counter-Strike 2 (CS2), the next evolution of Valve’s, long-running, ever-popular, and lucrative tactical first-person shooting game was revealed in mid-March 2023. But beyond several visual improvements and refinements to the high-stakes game, it appears as if the company is taking the opportunity to implement far stricter measures to counteract cheaters, who utilise third-party tools to gain an unfair advantage.
As spotted by Twitter user Aquarius and reported on by PC Gamer, a line in the source code of CS2 has indicated a new feature that will immediately cancel an in-progress match of Counter-Strike 2 if a player is detected using cheating tools.
The code, which appears to outline the conditions for certain notifications to pop up in-game, includes the phrases ‘Cheater Detected’ and ‘This match has been cancelled by VAC Live’.
‘VAC’ in this instance, of course, is an abbreviation for Valve Anti-Cheat, the company’s proprietary cheat monitoring solution. VAC was first introduced with Counter-Strike in 2002.
As PC Gamer astutely notes, this appears to be Valve taking a page out CS2’s closest competitor at the moment, Valorant, developed by Riot Games. Riot’s anti-cheat measures have included match cancellations since the game’s launch.
Counter-Strike has always been a game with high stakes, requiring exceptional levels of player investment and focus to succeed. Having your multiplayer experience ruined by a lopsided, unfair match can be incredibly demoralising, especially if you’re stuck in it for some time before you can move on. If Valve’s new anti-cheat measures do go ahead, it can only be a positive thing.
Don’t cheat in multiplayer games. That’s a loser move.
Counter-Strike 2 will launch on PC sometime in mid-2023.
Microsoft’s long-running introductory offer for its Xbox Game Pass subscription platform, which let users try the service out for $1 for the first month before moving onto more expensive payments, has finally come to a close.
- Off
- English
As The Verge report, the deal—which applied to both Xbox Game Pass Ultimate and the PC Game Pass—has recently been pulled, with a Microsoft spokesperson saying “We have stopped our previous introductory offer for Xbox Game Pass Ultimate and PC Game Pass and are evaluating different marketing promotions for new members in the future”.
What those “different marketing promotions” could be is anyone’s guess, though given the whole point of the $1 deal was get new users on the hook, a natural successor could easily be the Xbox Game Pass Friends and Family scheme, which while still unavailable in the US has been tested in a number of international markets since late 2022.
Anyone signed up for Game Pass will see months from existing subscriptions converted into partial months on the sharing plan. If you’re currently signed up for Xbox Game Pass Ultimate, every remaining month will turn into 18 days of Game Pass Friends and Family. Those signed up for the piecemeal tiers will see their subscriptions convert into 12 days of Game Pass Friends and Family.
There are some limitations, however. If you’re the account holder, you can only have four additional people on an account at any given time, and can only share with eight unique accounts over the course of a calendar year. And it’s region-locked: The primary account holder can only add members who live in the same country or region.
While that’s not a 1:1 replacement for the $1 offer, which was just a good deal for anyone, it does mean folks recommending Xbox Game Pass to friends or family would have a pretty easy way to get them onboard via their own account.
It sucks to see the $1 deal go away, since I’m sure many/most of you took advantage of it, but if you weren’t ready for the time Xbox decided to start doing stuff like this, you have not been paying enough attention to TV and sports over the last five years.
20th century Japanese poster art – in pictures | Art and design – The Guardian
Putin and his allies love buying art. To help us win the war in Ukraine, we should confiscate it – The Guardian
Judge Ron DeSantis By His Actions – The Atlantic
-
Investment16 hours agoFirst Republic Bank Stock: Why I Am Sticking To My Investment (NYSE:FRC)
-
Investment17 hours ago
The A.I. boom could also give a boost to these investing trends. How to play it
-
News24 hours ago
Biden visit: Trump calls Canada-U.S. deals ‘horrible’
-
Business16 hours ago
Thousands without power after Ontario windstorm
-
Sports23 hours ago
Despite 17 birdies, Rory McIlroy needs two trips to ‘friendly’ No. 18
-
News20 hours ago
Canada is set for its largest alcohol tax increase yet. Here’s what to know
-
Health19 hours ago
HPHA to close COVID, cold and flu clinics
-
Media17 hours ago
Utah is first US state to limit teen social media access
