Instagram Account Takeover Vulnerability Earns Hacker $30,000

A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.

India-based bug bounty hunter Laxman Muthiyah discovered the security hole while analyzing Instagram’s password recovery system for mobile devices.

When users want to change their Instagram password, a six-digit code is sent to their mobile phone and they have to enter that code within 10 minutes to be able to change the password. Instagram developers had implemented a rate-limiting mechanism to prevent attackers from brute-forcing the six-digit code, but Muthiyah identified a way to bypass it.

The researcher noticed that if he sent 1,000 requests containing possible verification codes, 250 of them would go through while the rest would be blocked. He then used what he described as a combination of a race condition and IP rotation to send out a total of 200,000 requests.

He achieved this by using 1,000 different IPs and he said an attacker would have needed 5,000 IPs to hack into any Instagram account.

“It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” Muthiyah explained.

The white hat hacker reported his findings to Facebook — Facebook owns Instagram — which informed him on July 10 that a bounty of $30,000 would be awarded for the vulnerability report.

This is not the first time Muthiyah has earned a significant bounty from Facebook. In the past, he discovered serious flaws that could have been exploited to delete videos and modify and delete copyright rules, access private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities