Indian finds 'account-hacking' bug in Instagram, wins Rs. 20 lakh
An Indian security researcher has bagged $30,000 (over Rs. 20 lakh) for flagging a critical bug in Instagram, the photo-sharing service owned by Facebook. Laxman Muthiyah was looking for vulnerabilities in Instagram's systems when he detected an issue that allowed him to break into accounts. He then reported the bug to Facebook, prompting the company to release an immediate fix for it. Here's more.
Bug allowed him to conduct brute-force attacks
Being a white hat hacker, Muthiyah looked at different ways to break into Instagram accounts. First, he tried the platform's website to conduct an attack through the common 'forgot password' endpoint. However, after failing to detect a vulnerability on the web, he decided to switch to the mobile app and was able to find a way to conduct a brute-force attack.
Here's what Muthiyah said about Instagram's system security
On the web, "they have a link based password reset mechanism which is pretty strong and I couldn't find any bugs after a few minutes of testing". However, when I "switched to their mobile recovery flow..I was able to find susceptible behavior."
The issue allowed him to take over accounts
The hack, Muthiyah said, revolved around requesting a new password and trying different possible recovery codes in the least possible time. And, it worked for almost every Instagram account, literally giving him the access to any Instagram of his choice without the consent or permission of the main user. Naturally, this could have been a major issue if it weren't for the security researcher.
Instagram has patched the issue, awarded Muthiyah
When Muthiyah reached out to Facebook with his bug report, the company didn't understand the issue. However, after a few emails providing additional information about the issue and a video demonstrating its possible exploit, the company's security recognized the potential threat. Post this, Instagram issued a fix for the bug and awarded Muthiyah with $30,000 (Rs. 20 lakh) under its bug bounty program.