Two Factor Authentication Bypass On Facebook

Summary: I discovered the lack of rate-limiting issue in instagram which could have allowed an attacker to bypass two factor authentication on facebook by confirming the targeted user’s already-confirmed facebook mobile number using the Meta Accounts Center.

Hello Everyone,

This is Gtm Mänôz from Kathmandu, Nepal. This is my first ever bug bounty write-up and the highest bounty reward from facebook.

Back in Mid-July 2022, I had got an invitation to attend BountyCon 2022 in Singapore because of my exceptional performance in Meta Bug Bounty program in early 2022. After getting the invitation, the only thing in my mind was to find at least a valid bug and be on the leaderboard of the live hacking event.

So, it all started when I found a new looking UI of Meta Accounts Center in instagram.

In the above image , personal details section had an option to add email and phone number to both instagram and linked facebook account which can be verified after placing the correct 6-digits code received in email/phone. At the time of reporting, the endpoint verifying the 6-digits code was vulnerable to lack of rate-limit protection allowing anyone to confirm unknown/known email and phone number both in instagram and linked facebook accounts.

Steps to Reproduce:

1.Generation Of Encrypted Authproof:

Navigate to the personal details section as shown in below image and enter the already registered facebook mobile number to add in your instagram linked facebook account.

Simultaneously, it will make post request to /api/v1/fxcal/get_native_linking_auth_blob/ endpoint to generate ig encrypted authproof (token) which will be added in step 2 to add contact points and also later to verify the confirmation code.

Below is the sample HTTP request from burp suite showing the generation of encrypted token.

2. Adding Contact Points:

While adding contact points (email/phone), it will make post request to /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.add.async/ endpoint to request the server to send 6 digits code for verification.

3. Code Verification

Now, enter any random 6 digits code and intercept the request using web proxy such as burp suite.

Then, send the above request to the intruder and insert $$ placeholder in the pin_code value in order to brute force the confirmation code.

Since, there was no rate-limit protection at all in this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, anyone could bypass the contact points verification.

While brute-forcing,

If the 6 digit code is wrong, the response will be “Wrong code: That code didn’t work. Please check the code and try again.”

And, if the 6 digit code matches, the response will be be long and the entered email/phone will be confirmed to attacker’s account.

As a result,

If the phone number was fully confirmed and 2FA enabled in facebook, then the 2FA will be turned off or disabled from victim’s account.

And, if the phone number was partially confirmed that means only used for 2FA, it will revoke the 2FA and also the phone number will be removed from victim’s account.

Since, the endpoint verifying both the contact points (email/phone) in instagram and linked facebook accounts was same , I was able to bypass both unknown and already registered contact points (email/phone) verification in instagram and facebook (unable to add already existed email in fb).

Also, on the same day my report was highlighted as one of the most impactful bug submitted during 2022 on the Facebook News Room and Meta Bug Bounty official facebook page.

Link to the FB Newsroom: https://about.fb.com/news/2022/12/metas-bug-bounty-program-2022/

Thanks for reading my write-up 🤗 Happy Hacking 🎭️

Thanks & best regards,
Gtm Mänôz