Meta has fixed a weakness in Facebook that could have potentially enabled a cyber attacker to evade SMS-based two-step verification (2FA).
The glitch, which netted the discoverer a handsome reward of $27,200, accomplished this by revalidating the intended user’s previously confirmed Facebook mobile number through the Meta Accounts Center on Instagram.
It took advantage of a speed-restriction problem in Instagram, which allowed a hacker to relentlessly guess the confirmation pin needed to verify an individual’s phone number.
Stay updated with the recent developments in web security flaws
Meta provided users with the opportunity to include their email and phone number to their Instagram and associated Facebook accounts, which can be confirmed by a six-digit code delivered via email or text message.
Nonetheless, you could input any arbitrary six numbers and snag the query utilizing a web intermediary like Burp Suite.
“Next, forward the aforementioned request to the hacker and embed $$ placeholder in the value of pin_code for the purpose of aggressively cracking the confirmation code,” pens Manoj Gautam, a security expert from Kathmandu who stumbled upon this glitch, in a blog article.
“Given the complete absence of rate-limit safeguards on this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, it was possible for anyone to sidestep the verification of contact points.”
Gautam mentions that the endpoint validating the code was also at risk due to the absence of rate-limit safeguards.
“In the absence of any rate limit safeguards during the verification of contact details – such as email or phone number – a potential hacker, with mere knowledge of the phone number, could easily integrate the victim’s 2FA-secured phone number into their own Facebook account linked to Instagram,” Gautam shares with The Daily Swig.
“When the intruder incorporates the target’s phone number, which has 2FA activated, into their own Facebook account that’s connected to Instagram, the 2FA gets deactivated or switched off on the target’s account.”
Gautam initially alerted Meta about the problem on September 14, and they managed to rectify it by October 17. The corporation recognized this as one of the most significant glitches discovered in 2022 and ultimately granted a reward of $27,200 for its identification.
“At first, I was skeptical about their bounty offer since it was only $3000. However, they responded, stating they will provide an extra bounty fee that will correspond to the highest possible impact, on top of the value of the bug I initially identified,” he explains.
“At last, following a 92-day period after the report was filed, I obtained an extra bounty in compliance with the updated payout rules for bypassing 2FA. In the end, the wait of over 90 days was completely justified as I was granted the largest bounty reward from Facebook.”