Indian techie awarded $30,000 for finding flaw in Instagram

By Digit NewsDesk | Published on Jul 19 2019
Indian techie awarded $30,000 for finding flaw in Instagram

Get Redmi 8 4GB+64 GB @ RS.7,999

With 12MP+2MP AI Dual camera, 5000mAh battery, fast charging, Fingerprint sensor + AI Face unlock

Click here to know more


Indian techie awarded $30,000 for finding a bug in Instagram’s mobile recovery flow.

The bug has now been fixed.

Instagram has awarded an Indian techie $30,000 (approx Rs 20,64,500) for finding a bug in the mobile recovery flow of the Facebook-owned photo and video sharing app. Chennai-based security researcher Laxman Muthiyah said that Facebook and Instagram security teams have fixed the issue and rewarded him as a part of their bounty programme. “I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few emails and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post.

Here’s how he found the bug:

In a nutshell, the hacking was done in three simple steps:

  • Triggering a password reset.
  • Requesting a recovery code.
  • Quickly trying out every possible recovery code against the account.

While looking for an account takeover vulnerability, the techie turned his attention to the Instagram forgot password endpoint. This is a process that helps users recover their account password if they have, by chance, forgotten it. Muthiyah first tried to compromise an account through Instagram web, however, due to the strong link-based password reset mechanism, he failed. He then turned his attention towards the mobile recovery flow where he found a susceptible behaviour. 

“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password for any account,” he said. Muthiyah’s tests show rate limiting, a mechanism put in place to control the amount of incoming and outgoing traffic to or from a network.

He claims that he sent thousands of requests to check whether Instagram’s systems are validating and rate limiting the requests properly. He found he was able to send requests continuously without getting blocked. In order to be able to change the password, he needed the code (which was sent to the account user’s registered mobile number). So there was only one, hit-and-trial, method that could have provided him with success. 

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realised that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack,” he explained. 

For a single person, it’s very difficult to send so many requests from different IPs in a short span of time, but according to Paul Ducklin, Senior Technologist at Sophos, cyber crooks with one or more botnets at their disposal could probably activate 5000 simultaneous connections from 5000 different IP numbers all over the world at a moment’s notice.

Ducklin says that although Instagram has plugged the flaw to save accounts from this attack if a user receives an account recovery code or a password reset message that you didn’t request, report it. It means that someone other than the user is probably trying to take over the account, hoping that the user won’t notice until after they’ve had a crack at getting in.

This is not the first time that Muthiyah has found a flaw in a Facebook app. In the past, he uncovered a data deletion flaw and a data disclosure bug on Facebook. The first bug meant he could have zapped all photos without knowing a user’s password. The second meant that he could have tricked a user into installing an innocent-looking mobile app that could riffle through all user’s Facebook pictures without being given access to your account.

Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.