SecureWorld News

Meta Pays Researcher $27K for 2FA Vulnerability Discovery

Written by Drew Todd | Tue | Jan 31, 2023 | 1:07 PM Z

Nobody likes to catch (security) bugs, that is, unless they are worth $27,200.

Gtm Mänôz, a security researcher from Nepal, discovered a bug in a centralized system created by Meta for managing Facebook and Instagram logins. The vulnerability could have allowed malicious threat actors to turn off a user's two-factor authentication (2FA) protection simply by knowing the user's phone number or email address.

Mänôz summarized his findings in a blog post:

"I discovered the lack of rate-limiting issue in Instagram which could have allowed an attacker to bypass two factor authentication on Facebook by confirming the targeted user's already-confirmed Facebook mobile number using the Meta Accounts Center."

The new Meta Accounts Center, which helps users link all their Meta accounts, did not set a limit of attempts for users entering the 2FA code used to log in to their accounts.

With the victim's phone number or email address, an attacker could go to the centralized accounts center, enter the victim's phone number, link it to their own Facebook account, and then perform a brute-force attack on the 2FA SMS (text message) code. There was no upper limit to the number of attempts the attacker could make.

Once the attacker got the code right, the victim's phone number would become linked to the attacker's Facebook account, and Meta would send a message to the victim indicating that their 2FA had been disabled due to their phone number being linked to someone else's account. At that point, an attacker could potentially try to take over the victim's Facebook account by phishing for the password, since 2FA would no longer be enabled.

Mänôz provided a screenshot of what that message would like:

Mänôz discovered the bug in the Meta Accounts Center in September 2022 and reported it to the company. Meta fixed the bug a month later and paid Mänôz $27,200 for his report. It is unclear if any malicious hackers found and exploited the bug before Meta fixed it.

Meta made sure to highlight Mänôz's discovery in its 2022 Bug Bounty Newsletter, saying it was one of the most impactful discoveries of the year.

See the write-up from Mänôz for more information.

Follow SecureWorld News for more stories related to cybersecurity.