Facebook two-factor authentication bypass issue patched

A critical security flaw was identified as one of Meta’s most significant vulnerabilities in 2022.

Meta has addressed a vulnerability in Facebook that had the potential to allow an attacker to bypass SMS-based two-factor authentication (2FA).

The issue, which resulted in a $27,200 bounty for its discoverer, allowed for the verification of a targeted user’s registered Facebook mobile number through the Meta Accounts Center on Instagram.

The vulnerability took advantage of a flaw in Instagram’s rate-limiting, enabling an attacker to brute force the verification PIN necessary to validate a phone number.

Stay updated on the latest web security vulnerabilities

Meta provided users with the ability to link their email and phone numbers to both their Instagram and Facebook accounts, with verification conducted via a six-digit code sent through email or SMS.

However, attackers could input any random six digits, and the requests could be intercepted using a web proxy like Burp Suite.

“Subsequently, send the request to the intruder while inserting a placeholder in the value to brute force the confirmation code,” shared Kathmandu-based security researcher Manoj Gautam, who discovered the flaw, in a blog entry.

“There was essentially no rate-limit protection present, allowing anyone to bypass the verification of contact points.”

According to Gautam, the endpoint responsible for validating the code was also vulnerable due to a lack of rate-limiting: “Without rate-limit protection while verifying contact methods—be it email or phone—an attacker could simply input the victim’s 2FA-enabled phone number into their Instagram-linked Facebook account.”

“Once the attacker added the victim’s 2FA-enabled phone number to their Instagram-linked Facebook account, the 2FA would effectively be disabled on the victim’s end.”

Resolved Vulnerability

Gautam first reported this issue to Meta on September 14, and it was rectified by October 17. The company labeled it as one of the most significant vulnerabilities discovered during 2022, eventually awarding a $27,200 bounty.

“Initially, I wasn’t satisfied with their bounty offer of $3,000. Eventually, they communicated that they would provide an additional amount commensurate with the maximum impact of the bug I had originally reported,” he explained.

“Ultimately, after 92 days since my report submission, I received the additional bounty based on the updated payout guidelines for 2FA bypass vulnerabilities. Overall, the wait was worthwhile, and I achieved the highest bounty from Facebook.”

YOU MAY ALSO LIKE Ruby on Rails apps vulnerable to data theft through Ransack search