Laxman Muthiyah, a Chennai-based security researcher discovered a new account takeover vulnerability on Instagram thereby winning $10,000 (Approximately Rs. 7.2 lakhs) as part of the Facebook’s bug bounty program. Muthiyah spotted a similar vulnerability back in July for which he was awarded $30,000 (Approximately Rs. 21.6 lakhs)
However, Facebook has now fixed the vulnerability. Muthiyah noticed that the same device ID – the unique identifier used by the Instagram server to validate password reset codes – can be used to request multiple passcodes of different users.
Facebook said in a letter to Muthiyah- “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery.”
Muthiyah had discovered last month that the flaw could let people other than the actual user take over the account. It was done by requesting a password reset, requesting a recovery code, or quickly trying out possible recovery codes to enter the account.
Muthiyah said in a blog post, “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty program. I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post.”
Instagram doesn’t let you do this for infinite times. It will lock you out when the wrong code is entered over 200 times. Also, the one doing this has only 10 minutes to punch in the reset code. The flaw comes here. If someone requested multiple resets at the same time and tried random numbers – all back to back, the person is likely to succeed. Unfortunately, this was allowed by the Facebook-owned app. This is exactly what Laxman pointed.
This is a pretty serious issue, especially when privacy comes to the spotlight. Anyone could have hacked your Instagram account if this option went undetected.