Laxman Muthiyah, an Indian-based security researcher, recently discovered a bug in Instagram’s Account Recovery Process that could have allowed attackers to break into users’ accounts. The Facebook-owned Instagram rewarded the researcher with a bounty of $10,000 for reporting the vulnerability.
The researcher said that he found the vulnerability while investigating how the account recovery process of the photo-sharing application allows the user to regain access to your account when you’ve forgotten the password.
According to Muthiyah, the Instagram server uses device ID as a unique identifier to validate password reset codes. “When a user requests a passcode using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the passcode,” Muthiyah said in a statement.
The researcher found that the same device ID can be used to request passcodes for multiple Instagram accounts of different users, allowing an attacker to breach multiple accounts with a single device ID.
“There are one million probabilities for a 6-digit passcode (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts. For example, if you request passcodes of a hundred thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID. If we request passcodes for one million users, we would be able to hack all the one million accounts easily by incrementing the passcodes, one by one. Therefore, an attacker should request codes of one million users to complete the attack with a 100 percent success rate. We should also note the 10 minutes expiry of the code, so the entire attack should happen within 10 minutes,” Muthiyah explained.
Recently, an unprotected server containing personal information of millions of Instagram influencers, celebrities, and brand accounts was found online without password protection. According to security researcher Anurag Sen who discovered the leak, the database had over 49 million records exposed online, allowing anyone to access it. The exposed data included users’ biodata, profile picture, the number of followers they have, their location by city and country, and contact information like the Instagram account owner’s email address and phone number.
Anurag stated the leaky database belongs to a social media marketing firm Chtrbox, which is based in Indian state Mumbai. The database was taken offline and called for an investigation on the incident, Chtrbox stated.
