Security Experts:

Connect with us

Hi, what are you looking for?



Hacker Finds Instagram Account Takeover Flaw Worth $10,000

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts.

India-based white hat hacker Laxman Muthiyah identified the flaw while looking at Instagram’s password recovery system for mobile devices, a process in which users receive a six-digit code on their phone and they have to enter it within 10 minutes to be allowed to change their password.

Instagram developers have implemented some protection mechanisms to prevent attempts to obtain the code through brute-force attacks. However, according to Muthiyah, an ID that is randomly generated by the Instagram app for every device is included in the request when the password reset code is solicited. This device ID is also used to check the validity of the six-digit code.

The researcher noticed that the same device ID can be used to request codes for multiple user accounts. This meant that with enough requests an attacker would be able to obtain the correct password reset codes.

“There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts,” Muthiyah explained in a blog post. “For example, if you request pass code of 100 thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID. If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.”

The expert said codes for one million Instagram users should be requested within 10 minutes — because the code expires after 10 minutes — for a 100% success rate.

Facebook determined that the vulnerability was caused by insufficient protections on a recovery endpoint. The social media giant awarded the hacker $10,000 for his findings.

In July, Muthiyah reported discovering an Instagram account takeover vulnerability that earned him $30,000 from Facebook. That exploit involved obtaining the six-digit code by using 5,000 different IP addresses that would send out one million requests containing possible combinations of the code.

In the past, Muthiyah earned a significant bounty from Facebook for flaws that could have been exploited to delete videosaccess private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.