A bug that could let hackers take over Instagram accounts of users by triggering a password reset has been discovered by bug-hunter Laxman Muthiyah. Triggering password reset requests a recovery code, taking advantage of which potential hackers can quickly try out every possible recovery code against the account to hack it.
Muthiyah has disclosed bugs to Facebook in the past. In compliance with Facebook’s Bug Bounty program, he previously pointed out a data deletion flaw as well as data disclosure bug on Facebook. The latest potential attack discovered by him requires an estimate of around $150 on Amazon or Google account to be set-up.
However, the attack no longer works as the company says Facebook altered its server-side defensive mechanism unilaterally after the bug was brought to light. Senior Technologist at Sophos, Paul Ducklin also shared tips to keep Instagram account safe.
For instance, if users receive a password reset message or account recovery code that they did not request, it most likely means that someone is trying to hack into the account. Such cases should be immediately reported to Instagram. It is advisable to read up in advance the steps users need to follow if their accounts get hacked.
Earlier this year, 22-year Manipuri man Zonel Sougaijam was included in the ‘Facebook Hall of Fame 2019’ after he detected a WhatsApp bug that allowed the caller to upgrade to video call in between an ongoing voice call, without authorisation. Sougaijam was also awarded $5000.