A security researcher from Nepal, Gtm Mänôz, has detected a severe two-factor authentication (2FA) bypass bug on Facebook and Instagram. The 2FA bypass bug could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number. Moreover, the researcher found that Meta did not set up a limit of attempts when users entered the two-factor code used to log into their accounts.
2FA Bypass Bug Could Affect the Linked Accounts
It was revealed that the 2FA bypass bug in the Meta products, especially Instagram, could also impact the linked Facebook account. The researcher found the bypass bug as he received an invitation from Meta regarding a BountyCon 2022 and wanted to find something interesting for the live hacking event.
Mänôz discovered the absence of a rate-limiting feature, which allows the hacker to add an already-verified phone number to a target Facebook/Instagram account. The hacker merely had to brute-force the confirmation code to link its desired phone number to the target account. “Basically the highest impact here was revoking anyone’s SMS-based 2FA just knowing the phone number,” Mänôz said.
The researcher reported the vulnerability to Meta officials. In response, Meta confirmed the “contact points verification bypass” issue and issued a patch; the company also paid Mänôz $27,200 for reporting the bug. Meta spokesperson Gabby Curtis said that there was no evidence of exploitation in the wild and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.
Also read: Instagram Rewards an Indian Student with $45000 for Finding a Thumbnail Bug