A
security research worker uncovered
a bug in Instagram’s account recovery process that could’ve been exploited to hack people’s accounts.
Researcher Laxman Muthiyah found the bug whereas investigating how the
social media app allows you to regain
access to your account in the event
that you’ve forgotten your parole.
To prove your identity, Instagram can send
a six-digit random code to your smartphone via SMS message. You’ll then be
asked to input the digits into the app.
Muthiyah wondered if anyone could “brute force” the process by inputting an enormous number of combinations to try and guess the correct code. Because it seems, you can, under certain conditions.
Instagram has some restrictions on inputting
codes into the account recovery process.
They include rate-limiting the number of guesses to 250
per IP address. The
guesses should also be made within a
10-minute window.
Figuring out a six digit code suggests that there are a million totally different total combinations to
undertake. That’s way too many for any human to input.
However, Muthiyah found he could automate a brute-force attack
against Instagram through its API. He did this by writing a programming script
to at the same time input an enormous range of guesses over a rotating
list of IP addresses.
Muthiyah uploaded a video demonstrating the
attack, which shows
him sending 200,000 guesses to break into an Instagram test account. “In a real attack situation, the attacker needs 5,000
IPs to hack an account.
It sounds massive, however that’s actually simple if you
utilize a cloud service provider like Amazon or Google. It might cost around
$150 to perform the complete attack of 1 million codes,” he
wrote in his blog post.
The good news is that Instagram has fixed the bug. Muthiyah told
PCMag the app currently blocks the number of passcode
guesses you can send,
even once using multiple IP addresses. “Hence one
can’t send all the chances within10 minutes,” he said in a chat over Facebook messenger.
In an email,
Instagram told PCMag: “We have fixed the problem and located no proof of misuse. We’re grateful
to the research worker for
his help in identifying the problem.” The app’s parent,
Facebook, has a bug
bounty program through Bugcrowd, which awarded
Muthiyah $30,000 for finding the
vulnerability.