By following the POC below, it was possible for a hacker to determine if a given Email Address or a Phone Number is connected to the given Facebook User or not.
Steps -
1. Initiate "Forgot password" flow.
2. Enter Target's Phone Number and click on "Search".
3. Select "Send code via SMS" and click on "Keep going".
4. Click on "Can't get code?".
5. Repeat step 3 and 4 at least six times.
6. Then click on "Aren't you".
7. Enter the Target's Facebook USERNAME and click on "Search".
8. Select "Send code via SMS" and click on "Keep going".
9. Click on "Cancel".
10. Click on "Forgot password".
11. Repeat step 8,9,10 again.
This should trigger an error saying "Identify this account in another way".
To double confirm,
12. Click on "Please try again".
13. Enter the Target's USERNAME and Search.
This should give us an error saying "Identify this account in another way
Identify your account using email or phone number."
If we enter a USERNAME which is not connected to the Target's Phone Number, we will be redirected.
Timeline -
Reported - 19 September 2021
Asked for updates - 24 September
Not able to reproduce by Facebook - 27 September
Additional info sent - 27 September
Asked for updates - 2 October
Asked for updates - 6 October
Asked for updates - 20 October
I reopened a resolved report and asked them to look into this one.
Triaged - 22 October
Fixed - 2 November
Rewarded - 3 November