Lorenzo Franceschi-Bicchierai reports:
A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number.
Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.
Read more at TechCrunch.
Comment: I would have thought that finding a bug that disables 2FA should be rewarded with more than $27,000 by Meta. They need to put their bug bounty rewards where their mouth is when it comes to claims about caring about privacy and security.