Prevent User Confirm Their Identity To Unlock 2FA Locked Account

Description: Two Factor Authentication (2FA) is a security feature that helps Facebook users protect their account in addition to their password. When someone attempts to access from a browser or mobile device that Facebook doesn’t recognize, you’ll be prompted to input a special login code or confirm your login attempt if you use two-factor authentication. Users can also receive notifications if someone attempts to log in using a browser or mobile device that was not recognized.

More info here: https://www.facebook.com/help/148233965247823

The bug that I found is on the Get Help Option feature. When someone loses their phone number setup for 2FA and only knows the email and password, they can use this recovery flow to submit their valid ID for Identity Confirmation. For this you are required to provide an active email address and a valid ID to complete the request. Facebook will then email you with the unlock link https://www.facebook.com/login/unlock.php?u=UID&n=Unlock_Code and help you turn off 2FA and regain access back to your account. However, the vulnerability I found is that when the account is deactivated and only the messenger is active, the victim will not be able to use the identity confirmation and request to unlock their account. This could permanently remove the chance for the user to regain access to their account.

I also noticed that there are different behaviors in each domain.

In m.facebook/mbasic it will show an error page “Sorry, something went wrong” while in www the How Can We Reach You page will not proceed after entering your email and clicking the next button.

Timeline

10/07/2021 — Report Sent

12/02/2021 — Bounty Awarded

Sometimes you just need logical thinking instead of any advanced tools or knowledge. Because Logic == Magic

Follow me on twitter: @devsyd11