Emma Woollacott on 27 January 2023 at 11:50 UTC
Updated: 17 February 2023 at 14:20 UTC
Meta addresses a significant security vulnerability that was marked as one of its major bugs in 2022.
Meta has successfully resolved a vulnerability in Facebook that could have potentially allowed attackers to bypass SMS-based two-factor authentication (2FA).
This bug, for which the finder received a substantial $27,200 bounty, enabled confirmation of a targeted user’s already-verified mobile number through the Meta Accounts Center in Instagram.
The flaw took advantage of a rate-limiting issue in Instagram that allowed attackers to brute-force the verification PIN necessary for confirming a phone number.
Stay updated with more news on the latest web security vulnerabilities.
Meta provides users the option to link their email and phone number to both their Instagram and Facebook accounts, which can be verified via a six-digit code sent through email or SMS.
However, any random six digits could be submitted, and this request could be intercepted using web proxies like Burp Suite.
“Next, send the request to the intruder and insert a placeholder in the value to brute-force the confirmation code,” explains Manoj Gautam, a security researcher based in Kathmandu who uncovered this bug, in a blog article.
“Since there was no rate-limit protection at all, anyone could bypass the verification of contact methods.” Gautam also indicates that the endpoint used to verify the code lacked proper rate-limiting measures.
“Without rate-limit protection while verifying contact points, anyone who knows the phone number could add the victim’s 2FA-enabled phone number to their Instagram-linked Facebook account,” Gautam informs The Daily Swig.
“Once the attacker successfully adds the victim’s 2FA-enabled phone number, the 2FA will effectively be disabled on the victim’s account.”
Bug Resolved
Gautam initially reported this issue to Meta on September 14, and it was resolved on October 17. The company acknowledged it as one of the most significant bugs found in 2022 and awarded a $27,200 bounty, albeit after some initial hesitation.
“I was initially uncertain about their decision regarding the bounty, as it was only $3000. However, they later responded with the additional bounty to reflect the bug’s maximum potential impact,” he mentions.
“After 92 days post-report submission, I received the additional bounty per their revised payout guidelines for 2FA bypass. Ultimately, it was worth the wait, and I achieved the highest bounty reward from Facebook.”
RELATED ARTICLES: Ruby on Rails Apps Vulnerable to Data Theft Through Ransack Search
Based on an article from ports wigger.net: https://portswigger.net/daily-swig/facebook-two-factor-authentication-bypass-issue-patched
