Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Hacker Finds Instagram Account Takeover Flaw Worth $10,000

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

India-based white hat hacker Laxman Muthiyah identified the flaw while looking at Instagram’s password recovery system for mobile devices, a process in which users receive a six-digit code on their phone and they have to enter it within 10 minutes to be allowed to change their password.

Instagram developers have implemented some protection mechanisms to prevent attempts to obtain the code through brute-force attacks. However, according to Muthiyah, an ID that is randomly generated by the Instagram app for every device is included in the request when the password reset code is solicited. This device ID is also used to check the validity of the six-digit code.

The researcher noticed that the same device ID can be used to request codes for multiple user accounts. This meant that with enough requests an attacker would be able to obtain the correct password reset codes.

“There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts,” Muthiyah explained in a blog post. “For example, if you request pass code of 100 thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID. If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.”

The expert said codes for one million Instagram users should be requested within 10 minutes — because the code expires after 10 minutes — for a 100% success rate.

Facebook determined that the vulnerability was caused by insufficient protections on a recovery endpoint. The social media giant awarded the hacker $10,000 for his findings.

In July, Muthiyah reported discovering an Instagram account takeover vulnerability that earned him $30,000 from Facebook. That exploit involved obtaining the six-digit code by using 5,000 different IP addresses that would send out one million requests containing possible combinations of the code.

Advertisement. Scroll to continue reading.

In the past, Muthiyah earned a significant bounty from Facebook for flaws that could have been exploited to delete videosaccess private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.