Home » News » Apps » Indian techie awarded $10,000 for discovering a flaw in Instagram

Indian techie awarded $10,000 for discovering a flaw in Instagram

By Digit NewsDesk | Updated on 27-Aug-2019
Indian techie awarded $10,000 for discovering a flaw in Instagram
Digit NewsDesk Digit NewsDesk
27 Aug 2019 16:52
HIGHLIGHTS

This is not the first time Laxman Muthiyah has discovered a flaw in a Facebook app.

He was awarded $30,000 last month for spotting a similar vulnerability.

Facebook has awarded an Indian techie $10,000 for spotting a flaw in the app. Interestingly, he was awarded $30,000 by Facebook for finding a bug in the mobile recovery flow of the Facebook-owned photo and video sharing app. Chennai-based security researcher Laxman Muthiyah said he again discovered a new account takeover vulnerability in Instagram. The new vulnerability is similar to the one he reported in July and allowed anyone to hack Instagram accounts without consent permission.

Facebook says it has fixed the spotted vulnerability. "Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme," Muthiyah said in a blog post

The vulnerability could allow hackers to use the same device ID – the unique identifier used by Instagram server to validate password reset codes – to request multiple passcodes of different users.

In reply, Facebook said in a letter to Muthiyah, "You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery.”

Last month, he found a bug that allowed hackers to hack in three simple steps:

  • Triggering a password reset.
  • Requesting a recovery code.
  • Quickly trying out every possible recovery code against the account.

While looking for an account takeover vulnerability, the techie turned his attention to the Instagram forgot password endpoint. Last month he claimed that he had sent thousands of requests to check whether Instagram’s systems are validating and rate limiting the requests properly. He found he was able to send requests continuously without getting blocked. In order to be able to change the password, he needed the code (which was sent to the account user’s registered mobile number). So there was only one, hit-and-trial, method that could have provided him with success. 

This is not the second time Muthiyah has found a flaw in a Facebook app. In the past, he uncovered a data deletion flaw and a data disclosure bug on Facebook as well. 

Digit NewsDesk

Digit NewsDesk

Digit News Desk writes news stories across a range of topics. Getting you news updates on the latest in the world of tech. View Full Profile

New Mobiles
Apple IPhone 15Redmi 12 5GRealme 11 Pro+ 5GApple IPhone 15 PlusNothing Phone 2
Top-10s
Best Mobile Phones under 15,000Best Mobile Phones under 20,000Best Mobile Phones Under 10,000Best Mobile PhonesBest 5G Mobile Phones
Terms of Use Privacy Policy About Us Advertise with us Contact Us SiteMap Current / Past Issue Magazine Subscription
9.9 Group

Digit.in is one of the most trusted and popular technology media portals in India. At Digit it is our goal to help Indian technology users decide what tech products they should buy. We do this by testing thousands of products in our two test labs in Noida and Mumbai, to arrive at indepth and unbiased buying advice for millions of Indians.

We are about leadership – the 9.9 kind Building a leading media company out of India. And, grooming new leaders for this promising industry.

logo logo logo logo logo logo
Copyright © 2007-24 9.9 Group Pvt.Ltd.All Rights Reserved.
Digit.in
Logo
Digit.in
Logo