Meta awards $27,200 bounty to researcher for bug that bypassed Facebook 2FA
facepalm: Meta recently implemented a centralized login system to make it easier for Instagram, Facebook, and Meta (VR) users to manage their accounts. Unfortunately, when setting up a two-factor authentication system, engineers missed a glaring error related to limiting attempts.
A security freshman named Gtm Manoz. noticed bug in July 2022. Looking for his first bug bounty to present at BountyCon 2022, Manoz started playing with Meta account center an interface that manages all Meta accounts, adding functionality similar to the Google Universal Sign-in to various services (YouTube, Gmail, Docs, etc.).
He noted that the page allows users to link a phone number to their accounts when linking them. Users simply enter their phone number followed by a six-digit 2FA code sent to them by the system. However, Manoz found that when an incorrect code is entered, Account Center simply asks the user to re-enter it instead of sending a new code.
Also, there was no limit on the number of failed attempts that could be entered in the confirmation field. This oversight allowed Manoz to hack 2FA on his account to link his phone number to another Facebook profile. The only warning comes after the phone number was stolen in an email from Meta to the victim informing them that it was linked to another user’s account.
While this exploit is mostly limited to the tedious recovery of the owner’s phone number, it effectively disables 2FA on the victim’s account, albeit temporarily. As long as the target does not take any action, it is open to phishing attacks.
“Essentially the biggest impact here has been to override someone’s SMS-based two-factor authentication just by knowing the phone number,” Manoz told TechCrunch.
Manoz notified Meta of the bug in September and it immediately fixed the vulnerability. The spokesperson said that when Manoz discovered the issue, the Meta Account Center was still in beta and only available to a small number of users. The spokesperson also noted that Meta’s investigation found no spikes in the use of the feature, indicating that the hackers were not using it.
Despite the relatively low score for the crash, Meta awarded Manos a $27,200 bug-finding bounty. Not too shabby for his first bug hunt.
Over the past couple of years, Meta has stumbled several times over the login features of various accounts. In 2021, he caused a mild panic when he kicked everyone off Facebook while reconfiguring the website. Last year, he deliberately banned many users from their accounts for not enabling “Facebook Protect” by the deadline set in an official Meta email that looked suspiciously like a phishing scam.