$27,000 Awarded By Meta As Bounty For 2FA Bypass Vulnerability

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 31, 2023 01:53 am PST

A researcher has revealed the specifics of a 2FA bypass issue affecting Instagram and Facebook. A researcher has revealed the specifics of a two-factor authentication (2FA) flaw for which Facebook parent company Meta offered him a $27,000 bug bounty.

In September 2022, Gtm Manoz of Nepal noticed that a system created by Meta for validating a phone number and email address lacked any rate-limiting security. In its yearly report on the bug bounty program, Meta noted Manoz’s discoveries and released a fix in October 2022. Since 2011, the IT juggernaut has distributed more than $16 million through its program, with $2 million being given away in 2022.

Manoz said in a blog post earlier this month that he found the flaw when inspecting a fresh Meta Accounts Center page on Instagram. Here, users can update their Instagram account and the Facebook account linked to it with an email and phone number. Users must provide a six-digit code they received via email or SMS in order to validate their phone number and email address.

According to the researcher’s analysis, the system checking the six-digit code did not have rate-limiting in place, which might have allowed an attacker to try every code until they found the appropriate one.

A hacker would have specifically needed to know the phone number that the targeted individual had linked to their Instagram and Facebook accounts. By taking advantage of the flaw, the attacker might have assigned the victim’s phone number to an account they controlled and used a brute-force assault to obtain the six-digit verification code.

As a result, the victim’s phone number was deleted from Facebook and Instagram, and 2FA was disabled for security concerns. Meta is attempting to stop this from happening since if another user validates a phone number, that individual would receive the SMS carrying the 2FA code.

Facebook And Instagram Both Affected By A Serious 2FA Bypass Vulnerability.

In a blog post, Gtm Manôz explained how the 2FA bypass vulnerability in Facebook and Instagram that he found last year could be used. As it turned out, he was interested in BountyCon 2022 after Meta invited him to it and wanted to find something interesting for the live hacking event. So, he looked at the new layout of Instagram’s “Meta Accounts Center.” It made it possible to add an email address or phone number to Instagram’s “Personal Information” section and the linked Facebook account after a 6-digit OTP was entered and verified.

Here, Manôz found that there was no rate-limiting feature, which meant that an attacker could add a phone number that had already been verified to a target Facebook or Instagram account. For an attacker to take advantage of the flaw, they had to guess the confirmation code to link their phone number to the target account. If it worked, this would turn off 2FA for the victim’s account because the attacker would be able to link the victim’s information to its own account.

Manoz demonstrated that when a user’s phone number was deleted as a result of being confirmed by a different individual, Facebook users did indeed receive a notification. Based on the vulnerability’s highest possible impact, Meta paid the researcher $27,200 for their findings.

How To Avoid 2FA attacks

Even though you can’t stop all attacks, there are several ways to make your two-factor authentication (2FA) safer. The tips below should help you do exactly that.

  • Make sure 2FA is turned on for all of your accounts. If you can skip 2FA, it’s the same as not having it.
  • Use authenticator apps like Google Authenticator, Authy, or even better, WebAuthN (if the service you are using supports it) instead of codes sent by SMS.
  • As with other types of phishing, you should be careful where you enter your password. Even if the page looks the same, make sure the domain name in the address bar is what you expect it to be.
  • Avoid reusing passwords and use strong passwords to stop attackers from getting to the 2FA stage.
  • Even though the points above may seem confusing, the best way to stay as safe as possible is to use 2FA. Now that you know how an attacker could get around the different 2FA methods, you should be able to teach yourself and your employees more secure ways to protect your accounts.


A researcher shared information about a two-factor authentication (2FA) flaw that earned him a $27,000 bug bounty from Meta, the company that owns Facebook. In September 2022, Gtm Manoz of Nepal found that Meta’s system for verifying a phone number and email address didn’t have any rate-limiting protection. Meta released a fix in October 2022, and in its annual bug bounty program report, the company talked about Manoz’s findings. Since 2011, the tech giant’s program has given out more than $16 million, and $2 million will be given out in 2022.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x