Social Networks

Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram

A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The flaw resides in a component used by the parent company Meta for confirming a phone number and email address. The researchers noticed that the software did not implement a rate-limiting protection mechanism that allowed him to bypass two-factor authentication on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.

Manoz reported the flaw to Meta in September 2022, the IT giant addressed it in October 2022.

“2FA Bypass – We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.” reads the bug bounty program report published by Meta.

The researcher noticed a personal details section in the Meta Accounts Center that allowed users to add an email and phone number to both Instagram and linked Facebook account, which can be verified by providing a 6-digits code received in email/phone. Mänôz noticed the lack of rate-limit protection, allowing anyone to confirm unknown/known email and phone number both in instagram and linked facebook accounts.

The issue allows the attacker with the knowledge of the victim’s phone number associated with his Instagram and Facebook account to conduct a bruteforce attack on the 6-digits code, then use the code to assign the victim’s phone number to an account under his control.

“While adding contact points (email/phone), it will make post request to /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.add.async/ endpoint to request the server to send 6 digits code for verification.” reads the post published by the researcher.

“Now, enter any random 6 digits code and intercept the request using web proxy such as Burp Suite.”

Then, send the above request to the intruder and insert $$ placeholder in the pin_code value in order to brute force the confirmation code.

Since, there was no rate-limit protection at all in this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, anyone could bypass the contact points verification.”

Unlinking the phone number of the victim from his Facebook and Instagram account the 2FA is disabled due to security reasons.

“And, if the phone number was partially confirmed that means only used for 2FA, it will revoke the 2FA and also the phone number will be removed from victim’s account.” concludes the report. “Since, the endpoint verifying both the contact points (email/phone) in instagram and linked facebook accounts was same , I was able to bypass both unknown and already registered contact points (email/phone) verification in instagram and facebook (unable to add already existed email in fb).

Meta awarded $27,000 bounty for this flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Russia-linked group APT29 is targeting Zimbra and JetBrains TeamCity servers on a large scale

U.S. and U.K. cyber agencies warn that Russia-linked group APT29 is targeting vulnerable Zimbra and…

14 mins ago

A cyber attack hit Iranian government sites and nuclear facilities

As Middle East tensions rise, cyberattacks hit Iran’s government branches and nuclear facilities, following Israel's…

15 hours ago

Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks

Sophos reports ransomware operators are exploiting a critical code execution flaw in Veeam Backup &…

23 hours ago

GitLab fixed a critical flaw that could allow arbitrary CI/CD pipeline execution

GitLab issued updates for CE and EE to address multiple flaws, including a critical bug…

1 day ago

Iran and China-linked actors used ChatGPT for preparing attacks

OpenAI disrupted 20 cyber and influence operations in 2023, revealing Iran and China-linked actors used…

2 days ago

Internet Archive data breach impacted 31M users

The Internet Archive disclosed a data breach, the security incident impacted more than 31 million…

2 days ago

This website uses cookies.