A researcher received a great reward for reporting a serious two-factor authentication (2FA) bypass flaw in Meta products. He discovered the 2FA bypass vulnerability on Instagram, which might potentially affect associated Facebook accounts. Following the bug report, Meta fixed the problem.
2FA Bypass Vulnerability In Instagram Could Impact Facebook Too
The researcher Gtm Mänôz published the 2FA bypass vulnerability in Facebook and Instagram that he identified last year in a blog post.
Mänôz uncovered the lack of a rate-limiting function in this case, which allowed an attacker to add an already-verified phone number to a target Facebook/Instagram account.
The researcher reported the vulnerability to Meta administrators after spotting it. In response, Meta confirmed Instagram’s “contact points verification bypass” vulnerability.
And the reward was awarded. At this point, the researcher needed to persuade Meta administrators to give the prize in accordance with their policy of weighing the largest possible effect.
Finally, pursuant to the New Payout Guidelines, the tech giant handed him a $27,000 prize. In their preview of the Bug Bounty Program 2022, Meta included this finding as one of the most significant bugs discovered in 2022.