A
bug-bounty
hunter
found
an
issue
in
Meta’s
Instagram
API
endpoints
that
could
allow
a
threat
actor
to
launch
brute-force
attacks
and
bypass
two-factor
authentication
(2FA)
on
Facebook.
The
researcher,
Gtm
Mänôz,
first
discovered
a
user
could
link
their
Instagram
and
Facebook
accounts
by
adding
in
an
already
confirmed
mobile
number
associated
with
the
Facebook
account.
Once
the
mobile
number
is
entered,
Facebook
generates
a
one-time
code
to
verify
the
user’s
identity.
But
the
rate-limiting
issue
on
Instagram’s
endpoint
could
allow
a
threat
actor
to
drive
unlimited
bot
traffic
to
launch
a
brute-force
attack
to
confirm
a
one-time
Facebook
PIN
to
link
the
accounts,
effectively
bypassing
Facebook’s
2FA
protections.
Once
inside
the
account,
a
cyberattacker
could
revoke
the
SMS-based
Facebook
2FA
altogether
and
bypass
verification
points
for
unknown,
as
well
as
already
registered,
Facebook
and
Instagram
accounts,
the
report
added.
“If
the
phone
number
was
fully
confirmed
and
2FA
enabled
in
Facebook,
then
the
2FA
will
be
turned
off
or
disabled
from
victim’s
account,”
Mänôz
wrote.
“And,
if
the
phone
number
was
partially
confirmed
(that
means
only
used
for
2FA),
it
will
revoke
the
2FA,
and
also
the
phone
number
will
be
removed
from
[the]
victim’s
account.”
Meta
has
since
fixed
the
issue
and
awarded
Mänôz
$27,000
for
the
find
through
its
bug
bounty
program.
Users
should
update
their
apps
to
the
latest
version
to
avoid
being
vulnerable.