The Instagram rate-limiting bug, found by a rookie hunter, could be exploited to bypass Facebook 2FA in vulnerable apps, researcher reports.
A bug-bounty hunter found an issue in Meta's Instagram API endpoints that could allow a threat actor to launch brute-force attacks and bypass two-factor authentication (2FA) on Facebook.
The researcher, Gtm Mänôz, first discovered a user could link their Instagram and Facebook accounts by adding in an already confirmed mobile number associated with the Facebook account. Once the mobile number is entered, Facebook generates a one-time code to verify the user's identity.
But the rate-limiting issue on Instagram's endpoint could allow a threat actor to drive unlimited bot traffic to launch a brute-force attack to confirm a one-time Facebook PIN to link the accounts, effectively bypassing Facebook's 2FA protections.
"If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from victim’s account," Mänôz wrote. "And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim's account."
Meta has since fixed the issue and awarded Mänôz $27,000 for the find through its bug bounty program. Users should update their apps to the latest version to avoid being vulnerable.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024