A researcher has revealed the specifics of a two-factor authentication (2FA) flaw for which Facebook parent company Meta offered him a USD 27,000 bug bounty. In September 2022, Gtm Manoz of Nepal discovered that a system created by Meta for validating a phone number and email address lacked any rate-limiting security.
In its yearly report on the bug bounty program, Meta noted Manoz’s discoveries and released a fix in October 2022. Since 2011, the tech juggernaut has distributed more than USD 16 million through its program, with USD 2 million being given out in 2022.
Manoz claimed in a blog post earlier this month that he found the flaw while inspecting a fresh Meta Accounts Center page in Instagram.