A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook and received a $27,000 bug bounty.
The flaw resides in a component used by Meta for confirming a phone number and email address. The researcher Gautam Manoz noticed that the software did not implement a rate-limiting protection mechanism that allowed him to bypass two-factor authentication on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.
According to the bug bounty program report published by Meta, they fixed a bug that could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number.
The researcher from Nepal was awarded a $27,200 bounty for this report.
The personal details section in the Meta Accounts Center allowed users to add an email and phone number to both Instagram and linked Facebook account, which can be verified by providing a 6-digits code received in email/phone. The researcher noticed the lack of rate-limit protection, allowing anyone to confirm unknown/known email and phone number both in Instagram and linked Facebook accounts.
The issue allows the attacker who knows the victim’s phone number associated with his Instagram and Facebook account to conduct a brute force attack on the 6-digits code, then use the code to assign the victim’s phone number to an account under his control.
While unlinking the phone number of the victim from his Facebook and Instagram account, the 2FA is disabled, due to security reasons.
The researcher first reported the issue to Meta on September 14, which fixed it on October 17. The company declared it to be one of the most impactful bugs to have been found during 2022 and awarded a $27,200 bounty.
Image Credits : Latest Hacking News