Chennai Guy Spots Another Flaw In Instagram, Gets Rewarded Rs 7.2 Lakh More For His Effort
Last month, Chennai-based security researcher Laxman Muthiyah won $30,000 from Facebook for spotting a major flaw in Instagram. Now, he¡¯s spotted another exploit that would allow an attacker to remotely hack into a user¡¯s account on the app.
Last month, Chennai-based security researcher Laxman Muthiyah won $30,000 from Facebook for spotting a major flaw in Instagram.
Now, he's spotted another exploit that would allow an attacker to remotely hack into a user's account on the app. At this rate, it won't be a surprise if Instagram or Facebook hired the young white hacker.
Laxman Muthiyah/Facebook
The new vulnerability is similar to the one Muthiyah reported back in July, he says, allowing someone to gain access to a person's Instagram account without their consent. The issue has now been fixed, Facebook reports, and Muthiyah has received another $10,000 reward (approximately Rs 7.2 lakh) for his efforts.
"Facebook and Instagram security team fixed the issue and rewarded me $10,000 as a part of their bounty programme," Muthiyah said in a blog post.
When you get locked out of your account, your device ID is the unique identifier the Instagram server uses to validate reset codes. When a user requests a pass code using their mobile device, a device ID is sent along with the request. The same device ID is used again to verify the pass code.
The device ID is a random string generated by the app. The thing is, he realised the same device ID could be used to request pass codes for multiple Instagram accounts. This is important because password reset codes are six digits long. So there could be a million probabilities a hacker with an automated bot could try.
Reuters
Of course, Instagram doesn't let you keep trying, it instead locks you out when you enter the wrong code 200 times. You also only have 10 minutes to input the reset code. So technically, if you could request multiple resets at the same time and try random numbers on them all simultaneously, you're more likely to succeed. That was unfortunately allowed by Instagram, which is what Muthiya pointed out needed to be changed,
The last bug he identified let him get around the 200 try limit, because apparently that was limited to the IP address through which you were connected to the app.