A Meta bounty was provided to an individual that found a 2FA flaw

February 8, 2023
Meta Bug Bounty 2FA Exploit Vulnerability Critical Flaw Social Media Facebook Instagram

A researcher has revealed the details of a two-factor authentication flaw that allowed him to receive a $27,000 bug bounty from the big-time tech company Meta.

The Nepalese researchers discovered the flaw in September last year after a system created by Meta for confirming phone numbers and email addresses do not have a rate-limiting protection feature.

The disclosure allowed Meta to design a fix and release it the following month. The company credited the researcher and provided him with a bug bounty for his work. This tech company is well-known for rewarding those who take their time and scan their systems.

Last year, Meta awarded about $2 million to all researchers that discovered flaws within its system.

 

The bounty researcher claimed it spotted the 2FA flaw while analysing the new Meta Accounts Center.

 

The Meta Accounts Center page on Instagram is the cause of the 2FA flaw which the bounty researcher encountered. The page allows users to add an email address and phone number to their Instagram account and the Facebook account connected to their IGs.

Subsequently, users must enter a six-digit code received through email or SMS to verify the added email address and phone number.

The Nepalese researcher’s analysis uncovered that the system verifying the six-digit code did not have rate-limiting functionality, which could have enabled a malicious entity to enter every code until the right one appeared.

Therefore, threat actors need to know a target’s phone number assigned to its Facebook and Instagram accounts for this exploit. This feature could allow the actors to acquire the six-digit verification code through brute-force attacks and hack an account.

It could result in the phone number being removed from the victim’s Instagram or Facebook, which could eventually disable the 2FA functionality. If another user could verify a phone number, they would be acquiring the SMS that contains the 2FA code.

The researcher demonstrated a sample to Facebook showing that a Facebook user did not receive a notification when a different individual removed their phone number from their social media accounts.

The bounty researcher earned more than $27,000 after Meta deemed the vulnerability critical.

About the author

Leave a Reply