Indian hacker Laxman Muthiyah has found a vulnerability on Instagram which allowed him to hack to any account he wanted without the holder being able to do anything about it. The hacker has released the proof of concept code by now, as Facebook’s security team already fixed the problem and rewarded him with $30000 for the tip. The vulnerability that was exploited by the bug bounty hunter concerns the password recovery system that supports the Instagram platform, so the hacker leveraged the “password reset” that normally helps people who forgot or lost their password to access their account again.
When a user asks for a password reset, Instagram sends a six-digit passcode to their mobile phone or registered email account, which expires in ten minutes. This is something like a two-factor authentication step that helps the platform affirm that it is the real holder who is asking the password reset. The hacker has figured out that if he sent thousands of simultaneous password reset requests from different IP addresses, he could leverage a race condition and bypass the authentication step. Going from theory to practice, Muthiyah used 1000 different IPs to send 200k requests, just to make his point to Facebook’s security team.
As he points out, an attacker would need 5000 IPs and one million requests to brute force his/her way into an Instagram account, and it would cost approximately $150 to rent the required cloud service infrastructure to do so. Although the number of account-takeover attempts should guarantee a blocking action from the platform, the 10 minutes of expiry time was the key to keep the rate-limiting mechanism to a level that makes this attack possible. No known incidents of this hack having taken place in the wild are known, and it’s already too late for malicious actors to do it now as the problem has been fixed.
If you own an Instagram account and want to learn how to stay safe from any attacks, there are a number of things you can do from your side. One is to change your password regularly and always use a unique, strong combination of letters, numbers, and punctuation marks. Uncheck the “Remember Me” box when not using your computer, don’t blindly approve account access to third-party apps, and turn-on two-factor authentication.
Have you ever experienced an account takeover on Instagram? How did it happen? Share your experience with us in the comments down below, and also on our socials, on Facebook and Twitter.