Chennai techie finds Instagram bug, again; wins Rs. 7 lakh
A Chennai-based security researcher was awarded $10,000 (Rs. 7.18 lakh) for discovering a bug on the photo/video sharing application, Instagram. According to reports, the researcher, Laxman Muthiyah, pointed out a new account takeover vulnerability on Instagram, which allowed anyone to hack into a user's Instagram account without consent. Muthiyah was awarded as part of Instagram's bug bounty program. Here's more about the development.
In a blog post, Muthiyah detailed how someone could exploit the bug to hack several users' Instagram accounts. He discovered that the same device ID - a unique identifier used by the Instagram server to validate password reset codes- can be used to generate multiple passcodes of different users. He added that anyone can hack a million accounts with 100% success rate, exploiting the bug.
The 6-digit long passcodes have only one million different probabilities. Accordingly, by requesting passcodes for 1 million users, anyone can hack all 1 million accounts by incrementing the passcodes one-by-one, given the attack happens within 10 minutes (reset passcodes are only valid for 10 minutes).
After Muthiyah pointed out the bug, Facebook fixed the error, and thanked him. It said that it looked forward to more such reports from him in the future, as it helped strengthen the social network's security. Facebook sent a letter to Muthiyah, saying, "You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery."
In the blog post, Muthiyah wrote, "Facebook and Instagram security team fixed the issue and rewarded me $10,000 as a part of their bounty program." He added, "I thank Facebook security team for rewarding me through their bug bounty program."
Last month, too, Muthiyah had found a similar vulnerability on Instagram, which left accounts prone to hacking. This account takeover vulnerability was also related to new password requests. Initially, Facebook was unable to reproduce the attack, but after Muthiyah convinced them that the attack is feasible through "a few emails and solid proof of concept video," he was awarded $30,000 (roughly Rs. 21.6 lakh).