Facebook Bug Allows 2FA Bypass Via Instagram
The Instagram rate-limiting bug, found by a rookie hunter, could be exploited to bypass Facebook 2FA in vulnerable apps, researcher reports.
A bug-bounty hunter found an issue in Meta's Instagram API endpoints that could allow a threat actor to launch brute-force attacks and bypass two-factor authentication (2FA) on Facebook.
The researcher, Gtm Mänôz, first discovered a user could link their Instagram and Facebook accounts by adding in an already confirmed mobile number associated with the Facebook account. Once the mobile number is entered, Facebook generates a one-time code to verify the user's identity.
But the rate-limiting issue on Instagram's endpoint could allow a threat actor to drive unlimited bot traffic to launch a brute-force attack to confirm a one-time Facebook PIN to link the accounts, effectively bypassing Facebook's 2FA protections.
"If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from victim’s account," Mänôz wrote. "And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim's account."
Meta has since fixed the issue and awarded Mänôz $27,000 for the find through its bug bounty program. Users should update their apps to the latest version to avoid being vulnerable.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024