Vulnerability in Meta Verified Accounts | Change Name and Username Without Review

I discovered a vulnerability that lets Meta Verified accounts change their name and username without going through the required review process.

What Was the Vulnerability?

The Meta Verified badge is supposed to confirm that an account is authentic. Normally, once an account is verified, any changes to the name or username need to be reviewed carefully to prevent impersonation or misuse.

But this vulnerability lets verified accounts completely bypass that review. That means anyone with a Meta Verified account could instantly change their name and username to whatever they want — and the Verified badge stays right there on the profile, making the new identity look officially verified.

Why Is This Dangerous?

This flaw can be abused in several serious ways:

• People or brands can be impersonated by changing names and usernames while still showing the Verified badge.
• Users could be tricked into trusting fake or fraudulent accounts.
• The Verified badge can be exploited to carry out scams, fraud, or spread false information.

How to Reproduce the Issue

I tested this on the Android app (version 380.0.0.49.84). Here’s how it works:

1. Log into a Meta Verified account.
2. Go to Settings > Account Center > Password and Security.
3. Click on Security Check-up.
4. When the “Help us secure your account” page appears, showing options like Password, Email, Phone Number, and Two-Factor Authentication, click the X in the top-right corner and select Finish Later.
5. A popup titled “Security Check-up” will appear with two options: Start and Remind Me Later. Click Start.
6. You’ll see four items: Email, Mobile Number, Profile, and Two-Factor Authentication.
7. Click on Profile.
8. Change the Name and Username fields to completely different values.
9. Click Continue Security Check-up.
10. When prompted to change your email, simply click the X (close) button.
11. You’ll return to the main interface — the new name and username are saved and visible immediately, and the Verified badge remains intact, all without any review happening.

Impact on Meta Verified Business and Standard Packages

This vulnerability affects all Meta Verified accounts, including both Business and Standard verification packages. That means verified businesses and individuals could misuse this flaw to impersonate others or abuse the Verified badge — which seriously undermines trust in the whole verification system.

Resolution and Fix

After finding this issue, I reported it through Meta’s Bug Bounty Program with full reproduction details and a proof-of-concept video. Meta acknowledged the problem and has now fixed it to protect users.

Resolution: Meta quickly addressed the flaw and implemented security measures to restore the integrity of their review process. The vulnerability has since been patched, ensuring that username changes on Meta Verified accounts are properly reviewed.