security research worker uncovered
a bug in Instagram’s account recovery process that could’ve been exploited to hack people’s accounts.
Researcher Laxman Muthiyah found the bug whereas investigating how the social media app allows you to regain access to your account in the event that you’ve forgotten your parole. To prove your identity, Instagram can send a six-digit random code to your smartphone via SMS message. You’ll then be asked to input the digits into the app.
Muthiyah wondered if anyone could “brute force” the process by inputting an enormous number of combinations to try and guess the correct code. Because it seems, you can, under certain conditions.
Instagram has some restrictions on inputting codes into the account recovery process. They include rate-limiting the number of guesses to 250 per IP address. The guesses should also be made within a 10-minute window.
Figuring out a six digit code suggests that there are a million totally different total combinations to undertake. That’s way too many for any human to input. However, Muthiyah found he could automate a brute-force attack against Instagram through its API. He did this by writing a programming script to at the same time input an enormous range of guesses over a rotating list of IP addresses.
Muthiyah uploaded a video demonstrating the attack, which shows him sending 200,000 guesses to break into an Instagram test account. “In a real attack situation, the attacker needs 5,000 IPs to hack an account. It sounds massive, however that’s actually simple if you utilize a cloud service provider like Amazon or Google. It might cost around $150 to perform the complete attack of 1 million codes,” he wrote in his blog post.
The good news is that Instagram has fixed the bug. Muthiyah told PCMag the app currently blocks the number of passcode guesses you can send, even once using multiple IP addresses. “Hence one can’t send all the chances within10 minutes,” he said in a chat over Facebook messenger.
In an email, Instagram told PCMag: “We have fixed the problem and located no proof of misuse. We’re grateful to the research worker for his help in identifying the problem.” The app’s parent, Facebook, has a bug bounty program through Bugcrowd, which awarded Muthiyah $30,000 for finding the vulnerability.