As we all know there was a recent vulnerability on Facebook that was exploited by an Indian developer as stated here.
Brute force in 2016 is very weird, Facebook applies rate limiting while entering the code for phone , Why they are not using CAPTCHAS ?
Isn't the problem be avoided by adding captcha ?
Thanks
CAPTCHAs are also not perfect. There are OCR algorithms to programmatically solve them, there are also systems which outsource the problem, i.e., dodgy download sites can give you a popup to solve a CAPTCHA, but their real goal is not to find out whether you are a human or not, but to solve that particular CAPTCHA. I think there are even factories at places where the human labor is very cheap where people solve CAPTCHAs 10 hours a day as their normal jobs.