This Guy Showed How to Hack Any Instagram Account, Rewarded $30K by Facebook
A security researcher hacked Instagram over the course of two days and passed the information onto Facebook for a large reward.
Security researcher Laxman Muthiya recently discovered how he could hack into anyone's Instagram account without their consent.
Instead of using this information for his own evil devices, the trained hacker sent the details of the cybersecurity vulnerability to Facebook and was rewarded $30K for his honesty.
Facebook hacker bounties
As part of their bounty program, Facebook rewards people who find and report issues with their security controls.
As Muthiya says in a post about his findings, the famous social media company recently increased reward payouts for all critical vulnerabilities including account takeovers. So the cybersecurity expert decided to try his luck.
He tried several methods to bypass Instagram's password mechanism. The platform's link-based password reset mechanism is robust and he found no bugs after a few minutes of tests, he says.
However, as Muthiya details in the above video, he found a vulnerability in the mobile recovery flow.
Two days of testing
Muthiya also detailed the issue on his blog:
"When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account."
However, he assumed there would be rate-limiting in place against these types of attacks. Over two whole days, he tested his theory and found that through a race condition error and IP rotation he was able to change anyone's password and access their accounts.
Two main takeaways
Facebook initially couldn't reproduce the error that allowed Muthiya to hack anyone's account — until he provided them more detail with his proof-of-concept video. This suggests that even a seasoned hacker would have had trouble finding and manipulating the vulnerability.
However, if found, it would have been surprisingly easy for a cybercriminal to take advantage of the vulnerability.
In a real cyber-attack scenario, a hacker would have needed 5000 IPs to hack an account. As Muthiya says, this "sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google."
"It would cost around 150 dollars to perform the complete attack of one million codes."
Facebook has now fixed the issue and paid Muthiya $30K for his efforts in finding the vulnerability.