Security researchers from Nepal recently discovered new vulnerabilities in the login systems of Meta's Facebook, Instagram and other apps, allowing anyone to bypass Facebook's two-factor authentication.

"This vulnerability can be exploited by anyone who knows the other party's phone number to bypass SMS-based two-factor authentication," researcher Gtm Mänôz told TechCrunch.

Mänôz said the flaw existed in the Meta Group's unified login system, where Meta did not set limits on attempts when users entered the two-factor codes used to log into their accounts.

This means that only knowing the target's phone number or email, an attacker can use brute force to enter a two-factor SMS code. Once the attacker obtains the correct verification code, the attacker can launch subsequent attacks.

It is understood that even after the attacker successfully attacks, Meta will send a reminder to the user that the account has been linked to someone else's account, so two-factor authentication is disabled.

Mänôz reported the bug to the company last year, and Meta has now fixed the bug. In order to reward him for his discovery, the Meta company finally paid him US$27,200 (currently about 184,000 yuan).