The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook.
The flaw resides in a component used by the parent company Meta for confirming a phone number and email address. The researchers noticed that the software did not implement a rate-limiting protection mechanism that allowed him to bypass two-factor authentication on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.
Manoz reported the flaw to Meta in September 2022, the IT giant addressed it in October 2022.
“2FA Bypass – We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.” reads the bug bounty program report published by Meta.
