Emma Woollacott
27 January 2023 at 11:50 UTC
Updated: 17 February 2023 at 14:20 UTC
Security vulnerability was one of Meta’s top bugs of 2022
Meta has patched a vulnerability in Facebook that could have allowed an attacker to bypass SMS-based two-factor authentication (2FA).
The bug – which earned its finder a $27,200 bounty – did this by confirming the targeted user’s already-verified Facebook mobile number using the Meta Accounts Center in Instagram.
It exploited a rate-limiting issue in Instagram that enabled an attacker to brute force the verification pin required to confirm someone’s phone number.
Read more news about the latest web security vulnerabilities
Meta gave users the option of adding their email and phone number to both their Instagram and linked Facebook account, which can be verified through a six-digit code sent by email or SMS.
However, any random six digits can be entered and the request intercepted using a web proxy such as Burp Suite.
“Then, send the above request to the intruder and insert placeholder in the value in order to brute force the confirmation code,” writes Kathmandu-based security researcher Manoj Gautam, who found the bug, in a blog post.
“Since, there was no rate-limit protection at all in this , anyone could bypass the contact points verification.”
The endpoint verifying the code was also vulnerable to lack of rate-limit protection, says Gautam.
“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” Gautam tells The Daily Swig.
“Once the attacker adds the victim’s 2FA-enabled phone number [to] his Instagram-linked Facebook account, then the 2FA will be turned off or disabled from the victim’s account.”
Gautam first reported the issue to Meta on September 14, which fixed it on October 17. The company declared it to be one of the most impactful bugs to have been found during 2022 and awarded a $27,200 bounty – eventually.
“Initially I wasn’t convinced with their bounty decision because it was just $3000. Later, they replied saying to issue the additional bounty amount that will reflect the maximum potential impact in addition to the value of the bug I initially reported,” he says.
“Finally, after 92 days of the report being submitted, I was awarded additional bounty as per new payout guidelines for 2FA bypass. All in all, it was worth waiting for more than 90 days, and I received the highest bounty reward from Facebook.”
YOU MAY ALSO LIKE Ruby on Rails apps vulnerable to data theft through Ransack search