"Facebook Bug Allows 2FA Bypass Via Instagram"

A bug-bounty hunter discovered a vulnerability in Meta's Instagram Application Programming Interface (API) endpoints that could enable an adversary to conduct brute-force attacks and circumvent two-factor authentication (2FA) on Facebook. Gtm Manôz is the researcher who discovered that a user could link their Instagram and Facebook accounts by adding a confirmed mobile number associated with the Facebook account. Facebook generates a one-time code after the number is entered to validate the user's identity. However, the rate-limiting problem on Instagram's endpoint can allow a threat actor to push unlimited bot traffic to conduct a brute-force attack to validate a one-time Facebook PIN to link the accounts, bypassing Facebook's 2FA protections. This article continues to discuss the Instagram rate-limiting bug that could be exploited to bypass Facebook 2FA in vulnerable apps. 

Dark Reading reports "Facebook Bug Allows 2FA Bypass Via Instagram"