Bypass email confirmation on Meta, Facebook, and Instagram

{title: "Bypass email confirmation on Meta, Facebook, and Instagram", date: "2025-Jun-24"}

This bug was probably one of the easiest bugs I’ve found so far. It affected all three major Meta products, Meta.com, Facebook, and Instagram, and I was lucky enough to get a bounty of $2500 for it. Here's the full story and breakdown of how I discovered this vulnerability and reported it.

Around late September 2024, I was testing the account login flow on meta.com, just to see how things were implemented. I tried to tweak things to login without 2FA, and tried to bypass rate limit on login/password reset flow. But I wasn't successful, until one day, when I was!

Here’s how the bug worked:
First, you go to auth.meta.com and click “Continue with email.” You go through the usual account setup steps and enter your name, birthday, etc, and continue, until you get to the page where it asks for the code that was sent to the entered email inbox.

Now here's the fun part. I tried entering a random 6-digit code, and instead of saying it was incorrect, the response came back with "Expired Code, Please generate another confirmation code" even on the very first try. I tried some random codes again, and finally put the actual code that was sent to the email, and strangely, the code was confirmed, even though just before, it was saying the code had already expired.

This gave me a hint of some misconfiguration, so I said, why not try bruteforcing the graphql query (FRLConfirmEmailMutation). I intercepted the code submission request using Burp, sent it to intruder, and bruteforced the code using a payload where the actual code would appear after more than a few thousand tries. I then started the intruder.

It worked. After a few thousand requests, when the correct code was hit, the response came back with "isConfirmed: true", and the account was verified successfully. The server responded with 200 OK even for wrong codes, but the message body would differ.

Now, you might think this is limited to just Meta.com accounts, but no. Once I logged into the Meta account, I went to accountscenter.meta.com, clicked on the Profiles tab, and linked both my Facebook and Instagram accounts.

Then I visited the Personal Details section and selected the verified email (which I had added using brute-force). I clicked on “Add to another account” and selected both Facebook and Instagram. Surprisingly, the email got linked to those accounts too, no extra verification required.

So yeah, with just one brute-forced email confirmation, I could link that email to Meta, Facebook, and Instagram. This could allow someone to claim any unused email and link it to all three major accounts of Meta. The impact here was pretty serious.

I reported the issue to Meta’s bug bounty program and got a reply saying it was a duplicate.
Pasted image 20250624134513.png

I saw the message was was pretty disappointed, given that the reward would at least be in 4 digits for such issue, but lucky me, I received another notification just a few minutes after on the same report, and I was pretty happy to see this message pop up.
Pasted image 20250624132852.png

The bug was fixed about a week later, and I got the fixed message. I tested again, and could see that the endpoint was properly secured now with rate limit, and a few days later, I got the bounty of $2500 on this report.
Pasted image 20250624134147.png

I also submitted a payout dispute to clarify that this was the same bug type that another researcher had received $5000 for in the past. But Meta said their internal payout policies had changed, and this one was now worth $2500 based on the new impact scale. Fair enough.

I asked for permission to write a public write-up after the bug was patched, and they said yes. So here it is.

Thanks for reading, and good luck with your own bug bounty journey. See you in the next one!