Researcher Discovers Bug, Receives $27,000 Bounty

Twenty-seven thousand {dollars}. Not unhealthy for a first-time bug hunter. In July of final yr, freshman Gtm Mänôz found a flaw that allowed him to bypass the second authentication issue (2FA) from the Meta Accounts Middle – a instrument that manages Instagram and YouTube accounts in a single place Fb.

The web page permits customers to affiliate a cellphone quantity with their account. By doing so, as an additional issue of safety, they obtain a six-digit authentication code (2FA) by way of SMS.

The issue that Mänôz discovered is that if a fallacious code is entered, the Account Middle simply asks the consumer to enter it once more – when it ought to ship a brand new code. To make issues worse, the freshman found that there was no restrict to what number of fallacious guesses somebody may enter within the checkbox.

Picture: copy

Fb 2FA bug (Meta)

End result: he was in a position to brute drive 2FA on his personal account to affiliate his cellphone quantity with a random profile on Fb. Then Meta itself sends an electronic mail to the sufferer stating that her account has been linked to an “x” cellphone.

“Principally, the largest influence right here was revoking anybody’s SMS-based 2FA simply by realizing their cellphone quantity,” Mänôz informed TechCrunch.

In September, Mänôz reported the bug to Meta, which fastened the vulnerability instantly. A spokesperson stated that when the difficulty was found, the Meta Accounts Middle was nonetheless in beta and solely out there to a small variety of customers. It additionally famous that Meta’s investigation revealed no spikes in the usage of this function, indicating that hackers didn’t exploit it.

Supply: Medium