Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Instagram Account Takeover Vulnerability Earns Hacker $30,000

A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.

India-based bug bounty hunter Laxman Muthiyah discovered the security hole while analyzing Instagram’s password recovery system for mobile devices.

A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.

India-based bug bounty hunter Laxman Muthiyah discovered the security hole while analyzing Instagram’s password recovery system for mobile devices.

When users want to change their Instagram password, a six-digit code is sent to their mobile phone and they have to enter that code within 10 minutes to be able to change the password. Instagram developers had implemented a rate-limiting mechanism to prevent attackers from brute-forcing the six-digit code, but Muthiyah identified a way to bypass it.

The researcher noticed that if he sent 1,000 requests containing possible verification codes, 250 of them would go through while the rest would be blocked. He then used what he described as a combination of a race condition and IP rotation to send out a total of 200,000 requests.

He achieved this by using 1,000 different IPs and he said an attacker would have needed 5,000 IPs to hack into any Instagram account.

“It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” Muthiyah explained.

The white hat hacker reported his findings to Facebook — Facebook owns Instagram — which informed him on July 10 that a bounty of $30,000 would be awarded for the vulnerability report.

Advertisement. Scroll to continue reading.

This is not the first time Muthiyah has earned a significant bounty from Facebook. In the past, he discovered serious flaws that could have been exploited to delete videos and modify and delete copyright rules, access private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.