Advisory ID: NCC-CSIRT-0702-008
Summary: Gtm Mänôz, a bug-bounty hunter discovered the lack of rate-limiting issue in Meta's Instagram application programming interface (API) endpoints which could have allowed an attacker to bypass two factor authentication (2FA) on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.
Vulnerable Platform(s): Social Media
Threat Type:
- Vulnerability,
- Brute-Force Attacks
Product : Facebook and Instagram Applications
Version: Any Version
Description: Instagram allows users to add an email address and phone number to their Instagram account and the Facebook account linked to their Instagram. To verify the email address and phone number, users must enter a six-digit code received via email or SMS. According to the researcher's finding, the system verifying the six-digit code did not have any rate-limiting in place, which could have allowed an attacker to enter every possible code until they got the right one. Specifically, a hacker would have needed to know the phone number assigned by the targeted user to their Instagram and Facebook account. By exploiting the vulnerability, the attacker could have obtained the six-digit verification code through a brute-force attack and assigned the victim’s phone number to an account they controlled. This resulted in the phone number being removed from the victim’s Facebook and Instagram account and 2FA getting disabled due to security reasons. If a phone number is verified by another user, that user would be getting the SMS containing the 2FA code.
Consquences:
- Revoke Victim’s SMS based Facebook 2FA.
- Bypass contact points verification for both unknown and already registered email/phone in Instagram & Facebook.
Impact/Probability: HIGH/HIGH
Solution :
· Users should upgrade their apps to the most recent version using the vendor's website, .