Critical 2FA Phone Number Auto-Enablement Flaw in Instagram Multi-Account Setup


Summary

While testing Instagram’s mobile app, I discovered a serious vulnerability in how the platform handles multi-account creation. Instagram silently enables SMS-based two-factor authentication (2FA) on a newly created account by reusing a previously verified phone number—without requesting any verification code or user consent.

How I Found the Issue

  • Logged into Account A with SMS-based 2FA and authenticator app enabled.

  • Within the same app session, used Add Account → Create New Account option.

  • Created Account B using the same Gmail address as Account A.

  • Navigated to Settings → Security → Two-Factor Authentication → Text Message on Account B.

  • Noticed that the phone number from Account A was already linked, and SMS 2FA was enabled without any OTP prompt or verification.

Expected vs Actual Behavior

Feature Expected Behavior Actual Behavior
2FA Setup Instagram should prompt to verify phone via OTP for Account B. SMS-based 2FA enabled silently, no verification requested.
Phone Verification Each account should verify its phone number independently. Phone number from Account A reused without verification.
User Consent User should manually approve any security-related setup. No user action or notification; setup happened in background.

Steps to Reproduce

  1. Log into Account A on Instagram and enable SMS-based 2FA.

  2. While still logged in, go to Add Account → Create New Account.

  3. Create Account B using the same Gmail address as Account A.

  4. After setup, go to Settings → Security → Two-Factor Authentication → Text Message on Account B.

  5. Observe that the phone number from Account A is present and SMS 2FA is enabled automatically—without OTP verification.

Security and Privacy Impact

  • Bypassing 2FA Verification: The core purpose of 2FA is compromised as verification is skipped entirely.

  • Cross-Account Phone Binding Without Consent: Phone numbers are sensitive data; linking them silently violates user consent and privacy principles.

  • Potential for Account Takeover: If an attacker gains access to your Gmail, they can create new Instagram accounts tied to your phone number without control of your device.

  • Silent Security Configuration: Users may remain unaware that SMS 2FA is enabled on additional accounts, leading to confusion or false trust in account security.

Why This Is Serious for Users and Businesses

Two-factor authentication is designed to protect accounts by requiring a second verification step, usually an OTP sent via SMS or generated by an authenticator app. The official, secure process involves:

  1. Adding a phone number to the account.

  2. Receiving an OTP on that phone number.

  3. Entering the OTP to verify control of the phone.

  4. Activating SMS-based 2FA only after successful verification.

Each account should independently verify its phone number. Sharing or reusing phone numbers silently across accounts breaks this isolation, undermines security, and violates user expectations.

For businesses and public figures, this vulnerability risks unwanted account linkage, impersonation, or coordinated social engineering attacks — potentially damaging reputation and security.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more