A critical vulneravility has been exposed on Instagram that allowed for the hijacking of a person’s account without their consent within 10 minutes.
Web developer and security researcher Laxman Muthiyah has recounted on his tech blog, The Zero Hack, how he revealed the flaw.
When users want to reset their password or regain access to their account on Instagram, the service asks them to enter a six-digit security code sent to their linked mobile number or e-mail.
This means that one has to guess one of the one million possible combinations to take over someone else’s Instagram account.
The code should be used within a 10-minut timeframe; moreover, Instagram has rate-limiting protection in place to prevent hacks (i.e. it limits the number of requests an IP address can make).
But Laxman found that this feature can be bypassed by a brute-force attack from multiple IP addresses, sending concurrent requests without getting limited.
He said: “In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that's actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes".
Laxman reported the vulnerability to Facebook, which owns the photo-sharing service. The company has since patched the bug and rewarded Laxman $30,000 as part of its Bug Bounty programme.
