A Chennai-based security researcher Laxman Muthiyah on Monday discovered a new account takeover vulnerability on Facebook-owned photo and video-sharing app, Instagram, which landed him a reward of $10,000 — about Rs 7.2 lakh — as part of the social network’s bug bounty program.
The hacker said that Facebook has now fixed the issue. “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty program,” Muthiyah said in a blog post.
The hacker had spotted a similar vulnerability in Instagram last month which landed him a reward of $30,000 (around Rs 21.5 lakh) from Facebook. While the previously spotted vulnerability allowed anyone to bypass the rate-limiting mechanism over the six-digit passcode when one tries to reset an Instagram account, the newly founded vulnerability could have been used to hack multiple accounts at once using device ID and password reset code.
Muthiyah explains the issue in his blog post. He says that when users request a passcode using their mobile device, a device ID, which is randomly generated, is sent along with the request. The same device ID is used again to verify the passcode.
There are one million probabilities for a 6-digit passcode and “when we request passcodes of multiple users, we are increasing the probability of hacking accounts”. So to minimise the number of probabilities, the attacker needs to request passcodes of more users.
“Therefore, an attacker should request codes of 1 million users to complete the attack with 100 per cent success rate,” the hacker writes in his blog post. This would allow a person to hack all one million users account but the attack should happen within 10 minutes as the codes expire after this time limit.