Critical 2FA Phone Number Auto-Enablement Flaw in Instagram Multi-Account Setup


Overview

A significant security flaw has been identified in Instagram’s mobile app involving the multi-account creation feature and two-factor authentication (2FA) settings. This vulnerability silently enables SMS-based 2FA on a newly created Instagram account without any user confirmation or verification, by automatically linking a previously verified phone number from an existing account.

This unexpected behavior undermines the fundamental security principle of explicit user consent and verification in 2FA setups, potentially exposing millions of users to unauthorized security configurations.


Description of the Issue

When a user who is logged into Account A with 2FA enabled via both phone and authenticator app creates a second account (Account B) using the same Gmail address within the same Instagram app session, the following occurs:

  • Upon enabling 2FA via SMS on Account B, Instagram automatically activates it using the phone number verified for Account A.

  • This happens without prompting the user to enter any SMS verification code or OTP, and without requesting any explicit consent for this linkage.

  • The verified phone number from Account A is silently bound to Account B’s 2FA settings, activating SMS-based 2FA on Account B instantly and invisibly to the user.


Expected vs Actual Behavior

Aspect Expected Behavior Actual Behavior
2FA Activation on Account B Instagram prompts for an SMS verification code to confirm ownership of the phone number. Instagram enables SMS-based 2FA on Account B automatically, without any OTP or user confirmation.
Phone Number Binding Phone number verification required for each account individually, regardless of shared Gmail. Phone number from Account A is reused silently for Account B without fresh verification.
User Consent Explicit user action and confirmation are required before enabling sensitive security settings. 2FA is enabled silently, bypassing the need for user confirmation or consent.

Security and Privacy Impact

This vulnerability poses a critical security risk:

  1. Bypassing Core 2FA Verification
    Two-factor authentication is designed to require proof of possession of a second factor (the phone) via OTP. This flaw bypasses that safeguard by silently assuming verification across accounts.

  2. Unauthorized Phone Number Binding
    Phone numbers are automatically shared across accounts without explicit approval, which violates user expectations of security and privacy.

  3. Increased Risk in Case of Gmail Compromise
    If the shared Gmail account is compromised, an attacker can create or access a new Instagram account and instantly enable SMS 2FA without control of the phone, leading to potential account takeover or complicated recovery scenarios.

  4. Silent Security Setting Changes
    Activating 2FA without notification undermines user trust and may confuse users about the true security status of their accounts.


Steps to Reproduce

  1. Open the Instagram mobile app (any version supporting multi-account creation).

  2. Log into Account A with 2FA enabled (both phone and authenticator app).

  3. Use the Add Account → Create New Account feature and register Account B with the same Gmail address used for Account A.

  4. Log into Account B and navigate to:
    Settings > Security > Two-Factor Authentication > Text Message

  5. Observe that the phone number from Account A is already auto-filled and SMS-based 2FA is automatically enabled without requiring any verification code.


Suggested Fixes

  • Require fresh SMS verification via OTP every time 2FA via phone is enabled, regardless of previous verification on other accounts.

  • Avoid silently binding phone numbers across accounts created or accessed within the same app session, especially when different accounts use the same Gmail.

  • Treat each Instagram identity as fully isolated for all security-sensitive settings, ensuring no cross-account assumptions or shortcuts in authentication flows.

  • Notify users explicitly of any changes to 2FA status and require confirmation before activation.


Conclusion and Call for Awareness

Two-factor authentication remains one of the most important defenses against unauthorized access, and its security depends on explicit, verifiable user consent for each account. The discovery of this silent auto-enablement flaw in Instagram’s multi-account feature exposes a dangerous gap that can be exploited or cause unintended security configurations.

Users and security professionals alike should be aware of this behavior, which contradicts best practices for 2FA management. Instagram and Meta are urged to address this issue promptly, reinforcing the trust users place in their platform’s security.


If you are a user managing multiple Instagram accounts, exercise caution when creating new accounts linked by the same Gmail address. Verify your 2FA settings manually and report any suspicious behavior to Instagram support.

Security researchers and bug bounty hunters should continue to monitor and report such critical flaws to improve the safety and privacy of millions of users worldwide.


Comments

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels