We've said it before and we'll say it again. Tech companies have nothing to lose and everything to gain from bug bounty programs.
Yeah, you're giving out large sums sometimes, but the flaws pointed out in the process could save you millions down the road.
Laxman Muthiya/Facebook
That's been proved again, this time by Chennai based cybersecurity researcher Laxman Muthiya. He's been awarded a whopping $30,000 prize (approximately Rs 20.64 lakh) for spotting a major bug in Instagram's security features.
The loophole Muthiya spotted would have allowed him to gain access to any Instagram account, without needing access to their device or even having to trick them into clicking a phishing link or downloading a malicious app.
Apparently all he had to do was trigger a password reset (for which you only need a person's username, and request a recovery code. You can ask for this six-digit code to be sent to your device in case for some reason you don't have access to the email or Facebook account you've linked to your Instagram.
The thing is, these recovery codes expire after 10 minutes, and Muthiya found they blocked him from making guesses after 200 tries. The only problem was, that was a 200 limit from each IP. So with more computers automatically guessing codes randomly, he'd have no problem brute forcing his way into an account. And who has so many computing systems at their disposal? Well, the hackers that set up botnets for just this purpose, for instance.
To clarify, this bug would require a lot of compute power to let you hack a lot accounts this way simultaneously. But if you have one specific target in mind that's no problem. And Muthiya estimated one could even set this up using Google and Amazon's cloud servers for about $150.
"I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report," he wrote in a blog post. "After a few email and proof of concept video, I could convince them the attack is feasible."
As a result, Facebook awarded him with a massive cash bounty, and say they've since patched the vulnerability, so you're safe from it now.?
In fact, Muthiya has uncovered bugs under Facebook's own bug bounty program in the past too. In 2015 he uncovered both a data deletion flaw and a data disclosure bug on Facebook's app. The first would have let him delete all your photos without knowing your password, and the second could have helped trick you into installing an innocent-looking app that would give him access to all your photos, without access to your account.
You should however still be aware of signs that something is amiss. If you receive a password reset request for your Instagram or other accounts for instance, or a recovery code that you didn't ask for, you know it's a hacker hoping to gain access before you realise it. Report it immediately in that case and maybe beef up your security
Aside from that, just stay away from clicking on liinks and downloading apps you know nothing about okay?