So it seems the vector here was a URL that showed up in the address bar gave the attacker the ability to change the account password. Any theories on how that works?<p>A password reset URL would do this, but presumably the attacker wasn’t counting on the user forgetting their password (unless they had a way to force it?) And a usual “magic link” wouldn’t authorize the user to reset a password without confirmation to the original email, I would think?<p>I wonder if it was not a URL, but an OTP code that was visible on screen by showing up in a notification.
If I received an email from a legitimate representative of the Tim Ferris show I'd be more likely to suspect a scam than if I received a typical phishing email.
There's always an slow excuse build up before the presentation of the folly. I rarely find it convincing. Not least of all, here.<p>That it was Tim Ferris makes this almost feel like satire. :/<p>Android makes it pretty easy to completely invert the control here. My phone does not make noise, does not vibrate, and does not show notifications on the top bar. I see them when I'm ready to see them. Unless of course I've excepted them (certain apps, or even specific WhatsApp convoys, etc) from this, and given them priority, for truly important things.
> If anyone knows Mark Zuckerberg, please tell him to return our account Facebook Account, please.<p>I'm surprised no one at Meta fixed this yet. The Perry Bible Fellowship is a really established web comic.