Follow Us:
Tuesday, June 28, 2022

Chennai-based hacker gets $10,000 bounty for discovering Instagram bug

A Chennai based hacker won around Rs 7.2 lakh after he found a vulnerability in Instagram that allowed hacking multiple Instagram accounts using device ID and password reset code.

By: Tech Desk | New Delhi |
Updated: August 27, 2019 1:25:49 pm
instagram vulnerablity, instagram hack, facebook hack, facebook reward hacker, instagram hacker reward 10000, instagram, facebook, hack account Indian hacker rewarded USD 10,000 for discovering a vulnerability on Instagram.

A Chennai-based security researcher Laxman Muthiyah on Monday discovered a new account takeover vulnerability on Facebook-owned photo and video-sharing app, Instagram, which landed him a reward of $10,000 — about Rs 7.2 lakh — as part of the social network’s bug bounty program.

The hacker said that Facebook has now fixed the issue. “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty program,” Muthiyah said in a blog post.

The hacker had spotted a similar vulnerability in Instagram last month which landed him a reward of $30,000 (around Rs 21.5 lakh) from Facebook. While the previously spotted vulnerability allowed anyone to bypass the rate-limiting mechanism over the six-digit passcode when one tries to reset an Instagram account, the newly founded vulnerability could have been used to hack multiple accounts at once using device ID and password reset code.

Muthiyah explains the issue in his blog post. He says that when users request a passcode using their mobile device, a device ID, which is randomly generated, is sent along with the request. The same device ID is used again to verify the passcode.

Best of Express Premium
UPSC Key-June 28, 2022: Why to read ‘Hurting religious Sentiments’ or ‘In...Premium
Did NCP hold Uddhav hand, stop resignation, give him false hope?Premium
Record $82 billion dealmaking spree sees India defy global slumpPremium
How Rampur, Azamgarh were won: Behind BJP chipping away of SP votesPremium

There are one million probabilities for a 6-digit passcode and “when we request passcodes of multiple users, we are increasing the probability of hacking accounts”. So to minimise the number of probabilities, the attacker needs to request passcodes of more users.

Also read | Facebook rewards 10-year-old with $10,000 for discovering Instagram bug

“Therefore, an attacker should request codes of 1 million users to complete the attack with 100 per cent success rate,” the hacker writes in his blog post. This would allow a person to hack all one million users account but the attack should happen within 10 minutes as the codes expire after this time limit.

Express Subscription Do not hit the wall, subscribe for the best coverage out of India starting at just $5 per month

📣 Join our Telegram channel (The Indian Express) for the latest news and updates

For all the latest Technology News, download Indian Express App.

  • Newsguard
  • The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.
  • Newsguard