Laxman Muthiya is a security researcher who was able to recently discover that he could hack into anyone’s Instagram without the need for their consent. The trained hacker didn’t use this information for his own benefit. Instead, Laxman Muthiya sent the details of the cybersecurity vulnerability to Facebook and was rewarded $30,000 for his honesty.
Facebook has a bounty program where it rewards those who find and report any issues that are found within the security controls of Facebook. According to Muthiya, the famous social media company has recently increased the amount it pays as a reward for finding vulnerabilities that are classified as critical such as account takeovers. That is why the cybersecurity expert decided to try his luck.
Laxman Muthiya tried different approaches for bypassing Instagram’s password mechanism. However, the link-based password reset mechanism was too robust, and he was unable to find any bugs in it. However, he kept at it until he discovered a mobile recovery flow. He writes on his blog, ‘When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account.’
Laxman Muthiya, however, assumed that there would a rate-limit in place against such sorts of attacks. He spent the next two days testing his theory and learned that by making use of a race condition error and IP rotation, he was successful in changing anyone’s password and accessing their accounts. Facebook was unable to reproduce the error initially that enabled Muthiya to gain access to anyone’s account. It was only after he provided them with more details using his proof-of-concept video that Facebook was able to reproduce the error.
For a real cyber-attack of such sort, the hacker would have to use 5,000 IPs to hack into an account. However, Muthiya say, ‘this sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.’
Facebook has fixed the error and paid Laxman Muthiya $30K for his efforts!