PhoneSpeck Press Release

Monday, July 15, 2019

Instagram vulnerability could have allowed an attacker to remotely hack your account


Laxman Muthiyah, an Indian bug bounty hunter has recently discovered a security vulnerability in Instagram that could have allowed an attacker to hack any Instagram account by sending 1000 brute force requests from different IPs.

As a security measure, sending a number of malicious requests to the servers could block login attempts, therefore, the bug bounty hunter sent around 1000 requests from different IPS, and surprisingly, 250 of them went through and the rest 750 requests were rate limited.

At the time of writing this story, the security vulnerability was reported to Facebook for immediate fixes, and Laxman received a reward of $30,000 as part of the Bug bounty program. The program Bug bounty, allows a user to spot and report security weaknesses under certain disclosure policies.

The account takeover mechanism used in this test was "Instagram forgot password endpoint" performed via the web interface, but he said all attempts went unsuccessful as there were no bugs found during the process.

According to the report, the flaw existed inside Instagram's "mobile recovery system" which allows a user to recover "forgot password" via a 6 digit passcode sent to a registered mobile number, if available. Trying all the one million codes on the verify-code endpoint, an attacker could have changed account password without a user's consent, the report reads.

Race Hazard and IP rotation allowed the Bug Bounty hunter to bypass the verification mechanism and rate of traffic. Rate limiting is a DDoS prevention mechanism that controls the rate of traffic within the specific period of time the traffic is sent/received by the network.


Read other related articles

Also read other articles

© Copyright 2019 PhoneSpeck | All Right Reserved