Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Instagram Account Takeover Vulnerability Earns Hacker $30,000

A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.

India-based bug bounty hunter Laxman Muthiyah discovered the security hole while analyzing Instagram’s password recovery system for mobile devices.

A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.

India-based bug bounty hunter Laxman Muthiyah discovered the security hole while analyzing Instagram’s password recovery system for mobile devices.

When users want to change their Instagram password, a six-digit code is sent to their mobile phone and they have to enter that code within 10 minutes to be able to change the password. Instagram developers had implemented a rate-limiting mechanism to prevent attackers from brute-forcing the six-digit code, but Muthiyah identified a way to bypass it.

The researcher noticed that if he sent 1,000 requests containing possible verification codes, 250 of them would go through while the rest would be blocked. He then used what he described as a combination of a race condition and IP rotation to send out a total of 200,000 requests.

He achieved this by using 1,000 different IPs and he said an attacker would have needed 5,000 IPs to hack into any Instagram account.

“It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” Muthiyah explained.

The white hat hacker reported his findings to Facebook — Facebook owns Instagram — which informed him on July 10 that a bounty of $30,000 would be awarded for the vulnerability report.

This is not the first time Muthiyah has earned a significant bounty from Facebook. In the past, he discovered serious flaws that could have been exploited to delete videos and modify and delete copyright rules, access private photos, and delete a user’s photos.

Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Increases Rewards for Account Hacking Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.