Chennai-based hacker gets $10,000 bounty for discovering Instagram bughttps://indianexpress.com/article/technology/social/chennai-based-hacker-rewarded-10000-for-discovering-instagram-bug-5941112/

Chennai-based hacker gets $10,000 bounty for discovering Instagram bug

A Chennai based hacker won around Rs 7.2 lakh after he found a vulnerability in Instagram that allowed hacking multiple Instagram accounts using device ID and password reset code.

instagram vulnerablity, instagram hack, facebook hack, facebook reward hacker, instagram hacker reward 10000, instagram, facebook, hack account
Indian hacker rewarded USD 10,000 for discovering a vulnerability on Instagram.

A Chennai-based security researcher Laxman Muthiyah on Monday discovered a new account takeover vulnerability on Facebook-owned photo and video-sharing app, Instagram, which landed him a reward of $10,000 — about Rs 7.2 lakh — as part of the social network’s bug bounty program.

The hacker said that Facebook has now fixed the issue. “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty program,” Muthiyah said in a blog post.

The hacker had spotted a similar vulnerability in Instagram last month which landed him a reward of $30,000 (around Rs 21.5 lakh) from Facebook. While the previously spotted vulnerability allowed anyone to bypass the rate-limiting mechanism over the six-digit passcode when one tries to reset an Instagram account, the newly founded vulnerability could have been used to hack multiple accounts at once using device ID and password reset code.

Muthiyah explains the issue in his blog post. He says that when users request a passcode using their mobile device, a device ID, which is randomly generated, is sent along with the request. The same device ID is used again to verify the passcode.

Advertising

There are one million probabilities for a 6-digit passcode and “when we request passcodes of multiple users, we are increasing the probability of hacking accounts”. So to minimise the number of probabilities, the attacker needs to request passcodes of more users.

Also read | Facebook rewards 10-year-old with $10,000 for discovering Instagram bug

“Therefore, an attacker should request codes of 1 million users to complete the attack with 100 per cent success rate,” the hacker writes in his blog post. This would allow a person to hack all one million users account but the attack should happen within 10 minutes as the codes expire after this time limit.