Instagram vulnerability could have allowed an attacker to remotely hack your account

Laxman Muthiyah, an Indian bug bounty hunter has recently discovered a security vulnerability in Instagram that could have allowed an attacker to hack any Instagram account by sending 1000 brute force requests from different IPs.

As a security measure, sending a number of malicious requests to the servers could block login attempts, therefore, the bug bounty hunter sent around 1000 requests from different IPS, and surprisingly, 250 of them went through and the rest 750 requests were rate limited.

At the time of writing this story, the security vulnerability was reported to Facebook for immediate fixes, and Laxman received a reward of $30,000 as part of the Bug bounty program. The program Bug bounty, allows a user to spot and report security weaknesses under certain disclosure policies.

The account takeover mechanism used in this test was "Instagram forgot password endpoint" performed via the web interface, but he said all attempts went unsuccessful as there were no bugs found during the process.

According to the report, the flaw existed inside Instagram's "mobile recovery system" which allows a user to recover "forgot password" via a 6 digit passcode sent to a registered mobile number, if available. Trying all the one million codes on the verify-code endpoint, an attacker could have changed account password without a user's consent, the report reads.

Race Hazard and IP rotation allowed the Bug Bounty hunter to bypass the verification mechanism and rate of traffic. Rate limiting is a DDoS prevention mechanism that controls the rate of traffic within the specific period of time the traffic is sent/received by the network.

Source

WhatsApp to soon support sharing Status to Facebook & other platforms

WhatsApp, Facebook-owned instant messaging platform has introduced many new features since its launch. The company not only adds new features to WhatsApp but also integrated Facebook with many advanced features.

The company first launched the WhatsApp status in 2017, and until now it claims that the feature has received more than 500 million daily active users. However, the existing features seem to be unbalanced for Facebook. Now, in order to make existing features more useful, the instant messaging platform spotted testing a new feature that allows users to share their WhatsApp status to Facebook and other apps.

The new feature, on the other hand, WhatsApp status sharing feature will be based on the Android and iOS APIs, which will integrate the Share icon below the WhatsApp status. The share icon will allow users to instantly share their status to Facebook stories, Instagram, Gmail, and other apps installed on the smartphones.

In general, when a user presses the share button, the API-based icon will immediately open the installed apps, and the user could select a preferred app to share a story anywhere. And there is no option to automatically share the WhatsApp Status on Facebook Stories or Instagram, however, the future can't be predicted accurately.

The new app is currently under beta testing and is believed to be released publicly in the coming weeks. No official announcements have been made so far. The exact releasing date is still not-known.

There is one thing that grabs our attention to the share button. As we all know, WhatsApp lets us post status updates that disappear within 24 hours, OK! but if the user shares their status to Facebook, Instagram or anywhere else, will it disappear on other places?

Source | Via