January 31, 2023

Meta has fixed a Facebook vulnerability that could have allowed an attacker to bypass SMS-based two-factor authentication (2FA). The bug, which earned its discoverer a $27,200 bounty, accomplished this by confirming the targeted user’s already-verified Facebook mobile number via Instagram’s Meta Accounts Center.

Gtm Mänôz, the researcher, discovered that a user could link their Instagram and Facebook accounts by entering an already proven mobile number associated with the Facebook account. After entering the user’s mobile number, Facebook generates a one-time code to verify the user’s identity.

Users could add their email and phone number to both their Instagram and linked Facebook accounts, which could then be verified via a six-digit code sent via email or SMS. Any random six digits can, however, be entered and the request intercepted using a web proxy such as Burp Suite.

The issue on Instagram’s endpoint, on the other hand, could enable a threat actor to push infinite bot traffic to introduce a brute-force attack to verify a one-time Facebook PIN to link the accounts, successfully circumventing Facebook’s 2FA protections.

When the attacker correctly entered the code, the victim’s phone number was linked to the attacker’s Facebook account. A successful attack would still result in Meta sending a message to the victim stating that their two-factor authentication had been disabled because their phone number had been linked to someone else’s account.

The sources for this piece include an article in TechCrunch.