The Instagram rate-limiting bug, found by a rookie hunter, could be exploited to bypass Facebook 2FA in vulnerable apps, researcher reports.

Dark Reading Staff, Dark Reading

January 30, 2023

1 Min Read
Meta and Facebook logos
Source: GK Images via Alamy

A bug-bounty hunter found an issue in Meta's Instagram API endpoints that could allow a threat actor to launch brute-force attacks and bypass two-factor authentication (2FA) on Facebook.

The researcher, Gtm Mänôz, first discovered a user could link their Instagram and Facebook accounts by adding in an already confirmed mobile number associated with the Facebook account. Once the mobile number is entered, Facebook generates a one-time code to verify the user's identity.

But the rate-limiting issue on Instagram's endpoint could allow a threat actor to drive unlimited bot traffic to launch a brute-force attack to confirm a one-time Facebook PIN to link the accounts, effectively bypassing Facebook's 2FA protections.

"If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from victim’s account," Mänôz wrote. "And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim's account."

Meta has since fixed the issue and awarded Mänôz $27,000 for the find through its bug bounty program. Users should update their apps to the latest version to avoid being vulnerable.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights