A security researcher discovered a two-factor authentication bypass vulnerability that affected Instagram and Facebook, netting him a $27,000 bug bounty. Other security researchers found similar problems and received even higher bounties.
Many companies offer cash to researchers who unearth critical vulnerabilities before criminal can find and exploit them. It’s a valuable way for companies to improve products and online services, which is precisely what happened with the vulnerabilities discovered in the 2FA process for Facebook and Instagram.
“We also fixed a bug reported by GtmMänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report,” explained Meta in a report.
The same report covers more significant discoveries from various other security researchers, mostly dealing with the authentication process or other bugs found within the two-factor authentication chain.
“We received a report from YaalaAbdellah, who identified a bug in Facebook’s phone number-based account recovery flow that could have allowed an attacker to reset passwords and take over an account if it wasn’t protected by 2FA,” Meta said.
“We’ve fixed this bug and found no evidence of abuse. We rewarded the researcher our highest bounty at $163,000, which reflects its maximum potential impact and program bonuses,” the company added.
All of these issues were fixed in the meantime, but it’s worth noting that Mänôz’s two-factor exploit doesn’t come with the same assurances that it was never used in the wild.
Social networks remain a primary target for criminals, which is evident by the number of attacks and the fact that data leaked from previous breaches always finds its way onto the dark web.