Facebook parent company Meta was worth a reward of around 27,000 US dollars for discovering and reporting a vulnerability through which attackers could have bypassed the two-factor authentication in Meta’s account overview. The IT researcher Gtm Mänôz has now explained the errors.
Facebook gap through unrestrained trial and error
As Mänôz now explains, he came across the meta account overview via Instagram. There, under the personal details, an e-mail address and telephone number can be added, which are then added to the Instagram and Facebook accounts. Two-factor authentication takes place in the form of a six-digit code that Meta sends by email or SMS.
As the data is added, Account Management makes connections to API endpoints that attackers could use a proxy to intercept and manipulate. Since Meta did not implement a rate limit such as Fail2ban, which temporarily blocks access by a computer after too many unsuccessful attempts, attackers could have used brute force to test all six-digit combinations. In the end, attackers would have verified access with a phone number or email address.
Meta’s bug bounty program Facebook account has confirmed the bug. The company “fixed a bug reported by Nepal’s Gtm Mänôz that could allow an attacker to bypass SMS-based 2FA by exploiting a lack of rate limiting to brute-force guess the verification pin used to a phone number is confirmed”. Meta paid a reward of $27,200 for the report.
In addition to the commercial bug bounty programs, especially large and solvent corporations, there are also non-commercial projects. At the end of last year, the Open Bug Bounty project came up with a whopping one million security gaps on the web that could be fixed in this way.
To home page
Leave a Reply