An Indian-based security researcher discovered a bug in Instagram’s Account Recovery Process that could have allowed attackers to break into users’ accounts.
Independent researcher Laxman Muthiyah said that he found the vulnerability while investigating how the account recovery process of the photo sharing application allows you to regain access to your account when you’ve forgotten the password. In a video, the researcher presented how he used ‘brute-force’ attack to break into Instagram’s account recovery process.
“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn’t find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour,” Laxman Muthiyah said in a post.
“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They must enter it to change their password. Therefore, if we can try all the one million codes on the verify-code endpoint, we would be able to change the password of any account. But I was pretty sure that there must be some rate-limiting against such brute-force attacks. I decided to test it,” Muthiayah added.
The researcher said the security team of Facebook fixed the issue and rewarded him $30,000 as a part of their bug bounty program.
Recently, an unprotected server containing personal information of millions of Instagram influencers, celebrities, and brand accounts have been found online. According to the security researcher Anurag Sen, who discovered the leak and notified TechCrunch, the database had over 49 million records exposed online, allowing anyone to access.
The exposed data included users’ biodata, profile picture, the number of followers they have, their location by city and country, and contact information like the Instagram account owner’s email address and phone number. Anurag stated the leaky database belongs to a social media marketing firm Chtrbox, which is based in Indian state Mumbai. The database was taken offline and called for an investigation on the incident, Chtrbox stated.