Social Networks

Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram

A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The flaw resides in a component used by the parent company Meta for confirming a phone number and email address. The researchers noticed that the software did not implement a rate-limiting protection mechanism that allowed him to bypass two-factor authentication on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.

Manoz reported the flaw to Meta in September 2022, the IT giant addressed it in October 2022.

“2FA Bypass – We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.” reads the bug bounty program report published by Meta.

The researcher noticed a personal details section in the Meta Accounts Center that allowed users to add an email and phone number to both Instagram and linked Facebook account, which can be verified by providing a 6-digits code received in email/phone. Mänôz noticed the lack of rate-limit protection, allowing anyone to confirm unknown/known email and phone number both in instagram and linked facebook accounts.

The issue allows the attacker with the knowledge of the victim’s phone number associated with his Instagram and Facebook account to conduct a bruteforce attack on the 6-digits code, then use the code to assign the victim’s phone number to an account under his control.

“While adding contact points (email/phone), it will make post request to /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.add.async/ endpoint to request the server to send 6 digits code for verification.” reads the post published by the researcher.

“Now, enter any random 6 digits code and intercept the request using web proxy such as Burp Suite.”

Then, send the above request to the intruder and insert $$ placeholder in the pin_code value in order to brute force the confirmation code.

Since, there was no rate-limit protection at all in this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, anyone could bypass the contact points verification.”

Unlinking the phone number of the victim from his Facebook and Instagram account the 2FA is disabled due to security reasons.

“And, if the phone number was partially confirmed that means only used for 2FA, it will revoke the 2FA and also the phone number will be removed from victim’s account.” concludes the report. “Since, the endpoint verifying both the contact points (email/phone) in instagram and linked facebook accounts was same , I was able to bypass both unknown and already registered contact points (email/phone) verification in instagram and facebook (unable to add already existed email in fb).

Meta awarded $27,000 bounty for this flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

GitHub Action tj-actions/changed-files was compromised in supply chain attack

The GitHub Action tj-actions/changed-files was compromised, enabling attackers to extract secrets from repositories using the…

45 minutes ago

New StilachiRAT uses sophisticated techniques to avoid detection

Microsoft discovered a new remote access trojan (RAT), dubbed StilachiRAT, that uses sophisticated techniques to…

3 hours ago

Threat actors rapidly exploit new Apache Tomcat flaw following PoC release<gwmw style="display:none;"></gwmw>

Threat actors began exploiting a recently disclosed Apache Tomcat vulnerability immediately after the release of…

15 hours ago

Attackers use CSS to create evasive phishing messages

Threat actors exploit Cascading Style Sheets (CSS) to bypass spam filters and detection engines, and…

20 hours ago

Researcher releases free GPU-Based decryptor for Linux Akira ransomware

A researcher released a free decryptor for Linux Akira ransomware, using GPU power to recover…

1 day ago

Denmark warns of increased state-sponsored campaigns targeting the European telcos

Denmark 's cybersecurity agency warns of increased state-sponsored campaigns targeting the European telecom companies Denmark…

1 day ago

This website uses cookies.