[WRITE-UP] Missing rate-limiting. How I was able to add any unowned phone number to my Facebook account? (Bounty: 5000 USD)

Hi guys, I’m Shubham Bhamare again. In this write-up, I’m going to tell you how I was able to add any unowned phone number to my Facebook account without victim’s knowledge. It was very easy finding.

Without wasting time, let’s start! 👉


Reproduction steps:

Step 1: Using d.facebook.com subdomain, create a new Facebook account with victim’s phone number.

Step 2: After successfully creating an account, do some suspicious activities (e.g. send friend requests to random people, post multiple comments, etc.) so that Facebook will block you from doing further activities and show the following checkpoint screen.

Step 3: Now, click on the Continue button and complete the CAPTCHA verification. So that you'll be redirected to the following screen where you’ll have to enter the same phone number of victim (which you’ve used to create a new Facebook account before.)

Step 4: Enter the victim’s phone number and click on the Send Code button. You’ll be redirected to the following screen where you’ll have to enter OTP.

Step 5: If you try to brute-force here, you’ll find that rate-limiting is missing so that you can confirm any unowned phone number.

To test this issue, I tried 5000+ payloads though the system didn’t block me and I was able to confirm that unowned phone number with valid payload after 5000+ requests.

First I tested this issue on the main domain of Facebook but it wasn’t vulnerable. So I tested it on one of my favorite Facebook subdomain d.facebook.com. (However other subdomains i.e. m.facebook, x.facebook, mbasic.facebook, touch.facebook, iphone.facebook was also vulnerable.)


The story behind it:

On Jul 17, 2019 (when I reported this issue), I wasn’t in the mood of hunting bugs and was just browsing some meme pages on Facebook. That time I thought I should also start my own meme page and earn some passive income. So I created a new Facebook account with my other phone number.

But after some actions and as the phone number wasn’t verified, Facebook blocked me and asked me to confirm my phone number. That time I thought that why not I should brute-force here? And BOOOOOOOM!💥 I found that the rate-limiting was missing.



Jul 17, 2019: Report sent

Jul 22, 2019: Pre-triaged

Jul 26, 2019: Triaged

Jul 27, 2019: Issue mitigated with following message

Aug 01, 2019: Fixed completely

Aug 12, 2019: 5000 USD bounty awarded


Things I tried to bypass this issue:

After reading this awesome article on IP Rotation by Lokesh Kumar, I tried to bypass this issue with the same technique. But I couldn’t bypass it. 🥲



  1. While browsing something (even though you’re not in the mood of hunting bugs), always observe whether something’s working as intended or not.
  2. Always try to bypass the fix of your every finding. Even though you won’t be able to bypass it, you’ll learn something new. (In my case, I learned how to rotate IPs.)


Thank you for reading! Stay tuned for my next write-up and don’t forget to follow me on Facebook, Twitter, LinkedIn, Instagram and Medium. 😊






Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

TokenStars Winter Report: With new strength to new heights

How We Secure the Future: Protecting the Internet of Things

Cryptopia Land Dollar (CLD) Upcoming PancakeSwap Listing Announcement

How People Put Their Personal Data in the Public Space Without Knowing

{UPDATE} Eternal Wars Hack Free Resources Generator

{UPDATE} Garden Pets Puzzle Hack Free Resources Generator

中文社区NFT KoLs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shubham Bhamare

Shubham Bhamare


More from Medium

P1 Vulnerability: How I chained Logical-Error to Account-Takeover Vulnerability 😈🧑‍💻that No-One…

IDOR with Autorize!

IDOR vulnerability on invoice and weak password reset leads to account take over

2fa Bypass by changing Request method to DELETE