Skip to main content

Facebook SMS-based Two-Factor Authentication Bypass ($2,500 Bounty)

Vulnerability Report - Meta Bug Bounty Program

Hello,

Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to disable SMS-based Two-Factor Authentication for the victim's Facebook account.

Prerequisites for Understanding the Vulnerability

To understand this vulnerability, it's necessary to understand a few key concepts first.

1. Account Center:

The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit this page.

2. Facebook SMS-based Two-Factor Authentication:

On Facebook, if you have a phone number linked to your account and have SMS-based Two-Factor Authentication (2FA) enabled using this phone number, and this number becomes linked to another Facebook account, it will automatically be removed from your account, disabling the SMS-based 2FA.

Exploiting the Vulnerability

While testing the Account Center, I discovered that if you have two connected accounts in the Account Center and one of them has a phone number linked to it, you can transfer this number to another account. For example, if you have connected Facebook and Instagram accounts, and your Facebook account has a phone number linked to it, you can open the Account Center from Instagram and add this number from your Facebook account to your Instagram account, and vice versa.

This led me to consider a scenario: Suppose the victim has two connected Instagram and Facebook accounts, with a phone number linked to their Facebook account. If the victim has 2FA enabled on their Facebook account using this phone number, and the attacker gains access to the victim's Instagram account, the attacker could transfer the phone number from the victim's Facebook account (which they don't have access to) to the Instagram account (which they do have access to). Then, by linking the victim's Instagram account to a Facebook account they control, the attacker could remove the phone number from the victim's Facebook account, effectively disabling the 2FA.

I attempted this by accessing the victim's Instagram account and trying to transfer the victim's phone number from their Facebook account to the Instagram account. Unfortunately, this attempt failed because I was prompted to re-verify the phone number, so I couldn't complete the transfer.

After further consideration, I came up with a different idea: What if I added my Meta account to the victim's Account Center and then tried to transfer the victim's phone number to the Instagram account from the Meta account center? Here's what I did:

I added my Meta account to the victim's Account Center. Then, from the Meta account center, I successfully transferred the victim's phone number to the Instagram account. I quickly connected the Instagram account to a Facebook account that I own and transferred the phone number from the Instagram account to my Facebook account. This action removed the phone number from the victim's Facebook account, disabling their 2FA.

Steps to Reproduce

From Victim's Side:

  1. The victim has two connected Instagram and Facebook accounts.
  2. The victim has a phone number linked to their Facebook account.
  3. The victim has 2FA text message enabled on their Facebook account using this phone number.

From Attacker's Side:

  1. The attacker gains access to the credentials of the victim's Facebook and Instagram accounts.
  2. The attacker's target is to bypass Facebook 2FA and gain access to the victim's Facebook account.
  3. The attacker logs into the victim's Instagram account.
  4. The attacker navigates to https://accountscenter.meta.com/accounts and adds the victim's Instagram account to their Meta account.
  5. The attacker navigates to https://accountscenter.meta.com/personal_info/contact_points and adds the victim's phone number from the victim's Facebook account to the victim's Instagram account.
  6. The attacker navigates to https://accountscenter.instagram.com/accounts/, removes the victim's Facebook account, and adds an account they own.
  7. The attacker navigates to https://accountscenter.instagram.com/personal_info/contact_points/ and adds the phone number to the newly added Facebook account.

From Victim's Side:

  1. The victim navigates to https://accountscenter.facebook.com/password_and_security/two_factor and finds that their Facebook 2FA has been disabled.

Proof of Concept Video

For a detailed demonstration, refer to the PoC video below:

Impact

This bug allows an attacker to bypass the 2FA of a victim's Facebook account, potentially leading to unauthorized access and control over the victim's Facebook account.

Timeline

  • May 20, 2024: Reported
  • May 28, 2024: Triaged
  • May 29, 2024: Bounty Rewarded ($2500)
  • August 3, 2024: Fixed

Follow Me:

Comments

Post a Comment

Popular posts from this blog

Critical Privilege Escalation Vulnerability in Teleport ($21,000)

Teleport | Report #2281075 | HackerOne Link to YouTube Video 259 #2281075 Copy report id Copy report id access list owner can escalate his role to the highest roles Add Hacker summary Timeline · export moaz219 submitted a report to Teleport . December 11, 2023, 6:28pm UTC Menu Menu Summary: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. Add a user as the Access List Owner. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role. This is a prohibited procedure, as stated here , that Owners are not able to control what roles and traits are granted by the Access List. Steps To Reproduce: From Organization Owner Account: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list. Add a user as List Owner. Add a role to "R...
Post a Comment
Read more

Facebook vulnerability allows an attacker to prevent any user from blocking them

Vulnerability Report - Facebook Events / Block Bypass Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to prevent any Facebook user from blocking them. Description of Vulnerability: 1. On Facebook Events you can go to: https://www.facebook.com/events/create/ and create a recurring event — which is simply a single event that repeats at different time intervals. 2. If you create a recurring event and then delete that recurring event, any Facebook user who tries to block you on Facebook will encounter an error message that prevents them from doing so. Exploitation Scenario: 1. The attacker wants to prevent any Facebook user from blocking them permanently. 2. The attacker goes to: https://www.facebook.com/events/create/ , clicks “Repeat event”, sets it to repeat twice, then clicks “Create event”. 3. The attacker deletes this recurring even...
Post a Comment
Read more