A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.
India-based bug bounty hunter Laxman Muthiyah discovered the security hole while analyzing Instagram’s password recovery system for mobile devices.
When users want to change their Instagram password, a six-digit code is sent to their mobile phone and they have to enter that code within 10 minutes to be able to change the password. Instagram developers had implemented a rate-limiting mechanism to prevent attackers from brute-forcing the six-digit code, but Muthiyah identified a way to bypass it.
The researcher noticed that if he sent 1,000 requests containing possible verification codes, 250 of them would go through while the rest would be blocked. He then used what he described as a combination of a race condition and IP rotation to send out a total of 200,000 requests.
He achieved this by using 1,000 different IPs and he said an attacker would have needed 5,000 IPs to hack into any Instagram account.
“It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” Muthiyah explained.
The white hat hacker reported his findings to Facebook — Facebook owns Instagram — which informed him on July 10 that a bounty of $30,000 would be awarded for the vulnerability report.
This is not the first time Muthiyah has earned a significant bounty from Facebook. In the past, he discovered serious flaws that could have been exploited to delete videos and modify and delete copyright rules, access private photos, and delete a user’s photos.
Related: Flaws Allowed Hackers to Brute-Force Instagram Accounts
Related: CSRF Vulnerability in Facebook Earns Researcher $25,000
Related: Facebook Increases Rewards for Account Hacking Vulnerabilities

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
