Facebook two-factor authentication bypass issue patched

A significant security vulnerability was identified as one of Meta’s major issues in 2022.

Meta has successfully addressed a flaw in Facebook that could have enabled cybercriminals to bypass SMS-based two-factor authentication (2FA).

This vulnerability, which resulted in a bounty of $27,200 for its discoverer, operated by confirming a user’s already-verified Facebook mobile number through the Meta Accounts Center on Instagram.

It took advantage of a rate-limiting flaw in Instagram, allowing an attacker to brute-force the verification PIN necessary for phone number confirmation.

Explore more updates on current web security vulnerabilities

Meta provided users with an option to link their email and phone numbers to Instagram and their associated Facebook accounts, with verification facilitated through a six-digit code sent via email or SMS.

Nevertheless, any random sequence of six digits could be attempted, and the request could be intercepted using web proxy tools like Burp Suite.

“Subsequently, send the aforementioned request to the intruder and substitute a placeholder for the value to brute force the confirmation code,” states security researcher Manoj Gautam, who discovered the vulnerability, in a blog post.

“Because there was no protection against rate-limiting whatsoever, anyone could easily bypass the verification of contact points.”

The endpoint responsible for verifying the code also suffered from the absence of rate-limiting safeguards, according to Gautam.

“Since there were no rate-limiting measures in place when verifying any contact points—email or phone—an attacker merely needed to know the phone number to add the victim’s 2FA-enabled phone number to their Instagram-linked Facebook account,” Gautam explained to The Daily Swig.

“After the attacker links the victim’s 2FA-enabled phone number to their Instagram-linked Facebook account, the 2FA will be disabled or turned off on the victim’s account.”

Patch Implemented

Gautam initially reported this vulnerability to Meta on September 14, which the company addressed on October 17. Meta regarded this as one of the most critical bugs uncovered in 2022 and subsequently awarded a $27,200 bounty.

“At first, I was skeptical about their bounty decision, which was only $3,000. Eventually, they responded, stating that the additional payment would reflect the maximum potential impact along with the bug’s initial reported value,” he noted.

“After 92 days had passed since submitting the report, I received the supplementary bounty in alignment with the new payout guidelines for 2FA bypass vulnerabilities. Overall, the wait was worthwhile as I ended up receiving the highest bounty from Facebook.”

YOU MAY ALSO LIKE Ruby on Rails apps vulnerable to data theft through Ransack search