A bug-bounty hunter found an issue in Meta’s Instagram API endpoints that could allow a threat actor to launch brute-force attacks and bypass two-factor authentication (2FA) on Facebook.

The researcher, Gtm Mänôz, first discovered a user could link their Instagram and Facebook accounts by adding in an already confirmed mobile number associated with the Facebook account. Once the mobile number is entered, Facebook generates a one-time code to verify the user’s identity.

But the rate-limiting issue on Instagram’s endpoint could allow a threat actor to drive unlimited bot traffic to launch a brute-force attack to confirm a one-time Facebook PIN to link the accounts, effectively bypassing Facebook’s 2FA protections.

Once inside the account, a cyberattacker could revoke the SMS-based Facebook 2FA altogether and bypass verification points for unknown, as well as already registered, Facebook and Instagram accounts, the report added.

“If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from victim’s account,” Mänôz wrote. “And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim’s account.”

Meta has since fixed the issue and awarded Mänôz $27,000 for the find through its bug bounty program. Users should update their apps to the latest version to avoid being vulnerable.