Security Experts:

Connect with us

Hi, what are you looking for?



Hacker Finds Instagram Account Takeover Flaw Worth $10,000

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

India-based white hat hacker Laxman Muthiyah identified the flaw while looking at Instagram’s password recovery system for mobile devices, a process in which users receive a six-digit code on their phone and they have to enter it within 10 minutes to be allowed to change their password.

Instagram developers have implemented some protection mechanisms to prevent attempts to obtain the code through brute-force attacks. However, according to Muthiyah, an ID that is randomly generated by the Instagram app for every device is included in the request when the password reset code is solicited. This device ID is also used to check the validity of the six-digit code.

The researcher noticed that the same device ID can be used to request codes for multiple user accounts. This meant that with enough requests an attacker would be able to obtain the correct password reset codes.

“There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts,” Muthiyah explained in a blog post. “For example, if you request pass code of 100 thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID. If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.”

The expert said codes for one million Instagram users should be requested within 10 minutes — because the code expires after 10 minutes — for a 100% success rate.

Facebook determined that the vulnerability was caused by insufficient protections on a recovery endpoint. The social media giant awarded the hacker $10,000 for his findings.

In July, Muthiyah reported discovering an Instagram account takeover vulnerability that earned him $30,000 from Facebook. That exploit involved obtaining the six-digit code by using 5,000 different IP addresses that would send out one million requests containing possible combinations of the code.

In the past, Muthiyah earned a significant bounty from Facebook for flaws that could have been exploited to delete videosaccess private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet