Hacker Finds Instagram Account Takeover Flaw Worth $10,000

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

India-based white hat hacker Laxman Muthiyah identified the flaw while looking at Instagram’s password recovery system for mobile devices, a process in which users receive a six-digit code on their phone and they have to enter it within 10 minutes to be allowed to change their password.

Instagram developers have implemented some protection mechanisms to prevent attempts to obtain the code through brute-force attacks. However, according to Muthiyah, an ID that is randomly generated by the Instagram app for every device is included in the request when the password reset code is solicited. This device ID is also used to check the validity of the six-digit code.

The researcher noticed that the same device ID can be used to request codes for multiple user accounts. This meant that with enough requests an attacker would be able to obtain the correct password reset codes.

“There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts,” Muthiyah explained in a blog post. “For example, if you request pass code of 100 thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID. If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.”

The expert said codes for one million Instagram users should be requested within 10 minutes — because the code expires after 10 minutes — for a 100% success rate.

Facebook determined that the vulnerability was caused by insufficient protections on a recovery endpoint. The social media giant awarded the hacker $10,000 for his findings.

In July, Muthiyah reported discovering an Instagram account takeover vulnerability that earned him $30,000 from Facebook. That exploit involved obtaining the six-digit code by using 5,000 different IP addresses that would send out one million requests containing possible combinations of the code.

In the past, Muthiyah earned a significant bounty from Facebook for flaws that could have been exploited to delete videos, access private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities