A researcher won a hefty bounty for reporting a severe two-factor authentication (2FA) bypass bug in Meta products. Specifically, he found the 2FA bypass vulnerability in Instagram that could also impact linked Facebook accounts. Meta patched the issue following the bug report.
2FA Bypass Vulnerability In Instagram Could Impact Facebook Too
Sharing the details in a blog post, the researcher Gtm Mänôz revealed the 2FA bypass vulnerability in Facebook and Instagram that he discovered last year.
As disclosed, he became curious following an invitation from Meta regarding a BountyCon 2022 and wanted to find something interesting for the live hacking event.
So, he examined Instagram’s new layout for the “Meta Accounts Center.” It allowed adding an email or phone number to the personal details section of Instagram and the linked Facebook account, following the verification of a 6-digit OTP.
Here, Mänôz discovered the absence of a rate-limiting feature, enabling an adversary to add an already-verified phone number to a target Facebook/Instagram account.
To exploit the flaw, an attacker merely had to brute-force the confirmation code to link its desired phone number to the target account. If successful, such an addition would disable 2FA for the victim’s account, as the attacker would get the victim’s details linked to its own account.
The researcher has explained the steps for reproducing the bug in his post.
Bug Fixed – Bug Bounty Awarded
Upon discovering the vulnerability, the researcher reported it to Meta officials. In response, Meta confirmed the “contact points verification bypass” issue for Instagram. And awarded the bounty.
At this stage, the researcher had to convince Meta officials to award the bounty per their policy of considering the maximum potential impact. Finally, the tech giant awarded him a $27,000 bounty according to the New Payout Guidelines.
Also, Meta marked this discovery among the most impactful bugs reported during 2022 in their overview of Bug Bounty Program 2022.
Let us know your thoughts in the comments.