A researcher has found a way hackers can evade Facebook’s two-factor authentication and access victims’ accounts.
Cybersecurity researcher Bassem M. Bazzoun reported his findings at the Meta Bug Bounty Conference in Seoul, South Korea, at the end of June. On Tuesday, Bazzoun published a post on Medium explaining how he could circumvent Facebook’s two-factor authentication (2FA).
“When users enable two-factor authentication, they will feel completely secure, believing that their account cannot be compromised,” Bazzoun told VPNOverview. “However, I was able to bypass the two-factor authentication of their Facebook accounts through this bug.”
Two-factor authentication is a security feature that prevents unauthorized access to accounts by requiring users to verify their identity.
Facebook has since patched the vulnerability.
Side Stepping Facebook’s 2FA
“It all started when I discovered a vulnerable endpoint on Instagram’s sign-up page that lacked proper rate limiting,” Bazzoun said.
He exploited this by “bruteforcing the verification code” to create an Instagram account linked to the victim’s phone number. Bazzoun added the phone number to his Facebook account. This removed 2FA verification for the phone number as it “had already been confirmed on Instagram,” — essentially rendering the victim’s account unprotected.
“Linking the Instagram account successfully transferred the phone number to the account center. Consequently, I could add the phone number to my Facebook account without being asked for a re-verification prompt,” he explained. “Adding the phone number to my Facebook account will remove the phone number from the victim’s account, which will disable the 2FA and… BOOM!”
Without 2FA authentication, hackers could easily use stolen credentials — widely sold on dark web marketplaces — to access victims’ accounts without raising any alarm.
It’s not uncommon for attackers to find a way around 2FA. In August 2022, a coordinated phishing attack against Cloudflare employees saw attackers send real-time, authentic-looking SMS phishing messages to them and their relatives, directing them to a fake login page. The attacker’s real-time data relay system intercepted time-sensitive One Time Password (TOTP) codes, allowing them to bypass 2FA.
How to Protect Your Accounts
“Security vulnerabilities can still be present on any website. These vulnerabilities are unintended and beyond companies’ control,” he told VPNOverview.
Bazzoun recommends keeping your passwords secure and not sharing them with anyone to protect your accounts. He also warned against clicking on suspicious links or links from unknown sources.
“It’s always better to enable multi-factor authentication (MFA) using an authenticator app, as recommended by Facebook. This is more secure than SMS-based two-factor authentication (2FA) because, from my point of view, it’s hard to find a bypass for MFA that is enabled through an authenticator app,” he said.
For improved security, we recommend using passwordless login (or passkeys) on platforms that support it.
To learn more about how to secure your account, check out our guide to optimizing your Facebook privacy settings.
Bazzoun received a bounty of $25,300 after reporting the vulnerability to Facebook.