In a blog post, Muthiyah detailed how someone could exploit the bug to hack several users' Instagram accounts.
He discovered that the same device ID - a unique identifier used by the Instagram server to validate password reset codes- can be used to generate multiple passcodes of different users.
He added that anyone can hack a million accounts with 100% success rate, exploiting the bug.
Anyone could hack million accounts by requesting million 6-digit-long passcodes
The 6-digit long passcodes have only one million different probabilities. Accordingly, by requesting passcodes for 1 million users, anyone can hack all 1 million accounts by incrementing the passcodes one-by-one, given the attack happens within 10 minutes (reset passcodes are only valid for 10 minutes).
Facebook has since fixed the bug, thanked the techie
After Muthiyah pointed out the bug, Facebook fixed the error, and thanked him.
It said that it looked forward to more such reports from him in the future, as it helped strengthen the social network's security.
Facebook sent a letter to Muthiyah, saying, "You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery."
"I thank Facebook security team for rewarding me"
In the blog post, Muthiyah wrote, "Facebook and Instagram security team fixed the issue and rewarded me $10,000 as a part of their bounty program." He added, "I thank Facebook security team for rewarding me through their bug bounty program."
Muthiyah hacked Instagram once before too; had won Rs. 21L
Last month, too, Muthiyah had found a similar vulnerability on Instagram, which left accounts prone to hacking.
This account takeover vulnerability was also related to new password requests.
Initially, Facebook was unable to reproduce the attack, but after Muthiyah convinced them that the attack is feasible through "a few emails and solid proof of concept video," he was awarded $30,000 (roughly Rs. 21.6 lakh).