Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram

A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The flaw resides in a component used by the parent company Meta for confirming a phone number and email address. The researchers noticed that the software did not implement a rate-limiting protection mechanism that allowed him to bypass two-factor authentication on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.

Manoz reported the flaw to Meta in September 2022, the IT giant addressed it in October 2022.

“2FA Bypass – We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.” reads the bug bounty program report published by Meta.

The researcher noticed a personal details section in the Meta Accounts Center that allowed users to add an email and phone number to both Instagram and linked Facebook account, which can be verified by providing a 6-digits code received in email/phone. Mänôz noticed the lack of rate-limit protection, allowing anyone to confirm unknown/known email and phone number both in instagram and linked facebook accounts.

The issue allows the attacker with the knowledge of the victim’s phone number associated with his Instagram and Facebook account to conduct a bruteforce attack on the 6-digits code, then use the code to assign the victim’s phone number to an account under his control.

“While adding contact points (email/phone), it will make post request to /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.add.async/ endpoint to request the server to send 6 digits code for verification.” reads the post published by the researcher.

“Now, enter any random 6 digits code and intercept the request using web proxy such as Burp Suite.”

Then, send the above request to the intruder and insert $$ placeholder in the pin_code value in order to brute force the confirmation code.

Since, there was no rate-limit protection at all in this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, anyone could bypass the contact points verification.”

Unlinking the phone number of the victim from his Facebook and Instagram account the 2FA is disabled due to security reasons.

“And, if the phone number was partially confirmed that means only used for 2FA, it will revoke the 2FA and also the phone number will be removed from victim’s account.” concludes the report. “Since, the endpoint verifying both the contact points (email/phone) in instagram and linked facebook accounts was same , I was able to bypass both unknown and already registered contact points (email/phone) verification in instagram and facebook (unable to add already existed email in fb).“

Meta awarded $27,000 bounty for this flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)