Chennai-based security researcher Laxman Muthiyah on Monday found a bug in the Facebook-owned Instagram, which allows anyone to hack the popular photo-sharing social networking service. The revelation came barely a month after reporting a similar flaw in Instagram.
Muthiyah found that the same device ID, the unique identifier used by the Instagram server to validate password reset code, can be used to request multiple passcodes of different users. He showed that this bug can easily be used to hack multiple Instagram account.
Muthiya, in a blog post, wrote, “there are one Mn possibilities for a 6 digit passcode that is between 000000 to 999999. When a hacker requests a passcode to change password, they are increasing the probability of hacking into an account.”
He further explained that if the hackers request passcode for 100 K users using the same device, there is a 10% success rate as 100 K codes are issued the same device. However, If the hackers request the passcode for 1 Mn users, they will be able to hack all 1 Mn accounts by incrementing the passcode.
“You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery,” Facebook said, in a letter to Muthiyah.
The bug has been fixed by Facebook security team and Instagram cannot be hacked using the same vulnerabilities.
Muthiyah won a $10 K as a part for discovering the new flaw as a part of the social network’s bug bounty programme. The programme was launched in 2011 to recognise and compensate security researchers around the globe. The programme aimed at improving the security controls of the platform and its subsidiaries.
Last Month, Muthiyah had won $30 K for discovering the other bug which allowed hacking of accounts using the same password reset option.