When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge?

While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification. Yes, you read that right — no SMS code, no confirmation, nothing.

How This Happens

Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail. When you try to enable 2FA via text message on Account B, Instagram doesn’t ask you to verify your phone number again. Instead, it just silently copies over the phone number and switches on SMS 2FA on the new account.

This is a massive deviation from how 2FA is supposed to work. Instead of requiring fresh verification — like sending a one-time password (OTP) to your phone — Instagram treats the phone number verified on Account A as automatically valid on Account B. This silent linkage happens without any user consent or action.

Why This Matters

Two-factor authentication should require explicit user interaction and verification every single time. The whole point is to prevent unauthorized access by ensuring the person enabling 2FA has direct control over the second factor — here, the phone number.

By automatically enabling SMS-based 2FA on the new account without verification, Instagram is:

  • Bypassing fundamental security checks

  • Binding phone numbers to accounts without user approval

  • Creating potential risks if the Gmail account or session is compromised, allowing attackers to gain false ownership and complicate recovery or detection

This isn’t just a minor glitch; it undermines user trust in one of the most sensitive security features Instagram offers.

What Should Happen Instead?

  • Instagram must require OTP verification whenever enabling SMS 2FA, even if the phone number was used on another account.

  • Each Instagram account should be treated as a distinct security entity, even if managed within the same app session.

  • No phone number should be auto-bound or silently reused across accounts without explicit verification.

The Takeaway

This flaw reveals how even major platforms can have unexpected weaknesses in their multi-account management and security flows. As users and researchers, we need to stay vigilant about how authentication features are implemented — and demand transparency and proper verification for all security settings.

Because when the lock turns itself on — without asking — it’s no longer a lock you can trust.


Comments

Post a Comment

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Read more