Two Factor Authentication Bypass On Facebook
Summary: I discovered the lack of rate-limiting issue in instagram which could have allowed an attacker to bypass two factor authentication on facebook by confirming the targeted user’s already-confirmed facebook mobile number using the Meta Accounts Center.
This is Gtm Mänôz from Kathmandu, Nepal. This is my first ever bug bounty write-up and the highest bounty reward from facebook.
Back in Mid-July 2022, I had got an invitation to attend BountyCon 2022 in Singapore because of my exceptional performance in Meta Bug Bounty program in early 2022. After getting the invitation, the only thing in my mind was to find at least a valid bug and be on the leaderboard of the live hacking event.
So, it all started when I found a new looking UI of Meta Accounts Center in instagram.
In the above image , personal details section had an option to add email and phone number to both instagram and linked facebook account which can be verified after placing the correct 6-digits code received in email/phone. At the time of reporting, the endpoint verifying the 6-digits code was vulnerable to lack of rate-limit protection allowing anyone to confirm unknown/known email and phone number both in instagram and linked facebook accounts.
Steps to Reproduce:
1.Generation Of Encrypted Authproof:
Navigate to the personal details section as shown in below image and enter the already registered facebook mobile number to add in your instagram linked facebook account.
Simultaneously, it will make post request to /api/v1/fxcal/get_native_linking_auth_blob/ endpoint to generate ig encrypted authproof (token) which will be added in step 2 to add contact points and also later to verify the confirmation code.
Below is the sample HTTP request from burp suite showing the generation of encrypted token.
2. Adding Contact Points:
While adding contact points (email/phone), it will make post request to /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.add.async/ endpoint to request the server to send 6 digits code for verification.
3. Code Verification
Now, enter any random 6 digits code and intercept the request using web proxy such as burp suite.
Then, send the above request to the intruder and insert $$ placeholder in the pin_code value in order to brute force the confirmation code.
Since, there was no rate-limit protection at all in this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, anyone could bypass the contact points verification.
If the 6 digit code is wrong, the response will be “Wrong code: That code didn’t work. Please check the code and try again.”
And, if the 6 digit code matches, the response will be long and the entered email/phone will be confirmed to attacker’s account.
As a result,
If the phone number was fully confirmed and 2FA enabled in facebook, then the 2FA will be turned off or disabled from victim’s account.
And, if the phone number was partially confirmed that means only used for 2FA, it will revoke the 2FA and also the phone number will be removed from victim’s account.
Since, the endpoint verifying both the contact points (email/phone) in instagram and linked facebook accounts was same , I was able to bypass both unknown and already registered contact points (email/phone) verification in instagram and facebook (unable to add already existed email in fb).
- Revoke anyone’s SMS based facebook 2FA
- Bypass contact points verification for both unknown and already registered email/phone in instagram & facebook(unable to add already existed email in fb).
- 14 Sep, 2022 — Report Sent to Meta.
- 16 Sep, 2022 — Meta responded that they were not able to reproduce the issue.
- 20 Sep, 2022 — Gave my credentials to the security team for reproduction as the new account center feature was not rolled out in their accounts.
- 21 Sep, 2022 — The feature completely vanished from the account after the team logged in from the new location.
- 21 Sep, 2022 — The feature reappeared while un-linking the linked facebook account and informed this weird behaviour to the team.
- 22 Sep, 2022 — Triaged.
- 24 Sep,2022 — Bounty awarded by facebook for contact points verification bypass for instagram
- 3 Oct, 2022 — Sent additional impact about revoking anyone’s SMS-based facebook 2FA.
- 17 Oct, 2022 — Confirmation of fix by facebook
- 17 Oct, 2022 — Asked facebook team to increase the bounty amount as facebook always pay based on the maximum possible impact of the report.
- 14 Dec, 2022 — Got the reply from facebook team saying they will be issuing “The additional bounty amount that will reflect the maximum potential impact in addition to the value of the bug I initially reported.”
- 15 Dec, 2022 — Additional bounty awarded by facebook as per the New Payout Guidelines for 2FA Bypass.
Link to the FB Newsroom: https://about.fb.com/news/2022/12/metas-bug-bounty-program-2022/
Thanks for reading my write-up 🤗 Happy Hacking 🎭️
Thanks & best regards,