Security researcherLaxman Muthiyah discovered this week a serious error in the Instagram account recovery process that could have been used to hack into the account of just about any social network user. Although it follows the trial and error method, the vulnerability could be exploited by someone who is knowledgeable in programming.
Before understanding how the hacker managed to take advantage of the Instagram system breach, it is worth noting that the platform has some restrictions on verification codes (those sent by email or text message to your number) in the process of recovering an account. . Among them, you can try to use up to 250 different codes per IP, each code valid for only 10 minutes.
Since a code has six digits, this means that there are 1 million different possible combinations, which is virtually impossible to do by hand. However, Muthiyah found that he could automate an attack on the Instagram system through an API which simultaneously inserts a large number of combinations into a rotating list of IPs.
In the video below, recorded by the researcher, he demonstrates how it was possible to send 200 thousand combinations (ie 20% of 1 million) through the software developed by him. According to Muthiyah, in an actual attack scenario, the attacker would need at least 5,000 hacker IPs, an account that is even easier from online providers, offered by companies like Amazon and Google.
From this method, Muthiyah claims it would only cost about $ 150 to execute the full attack, with 1 million combinations. If you were concerned, know that the good news is that Facebook (Instagram me company) corrected the error After the hacker informs you about the breach.
Thus, the application now blocks the number of matches that can be sent even from different IPs, making it impossible to try to match the match within the 10 minute window.
In an email sent PCMagInstagram said it awarded Muthiyah with $ 30,000 (~ $ 112,500) for finding the vulnerability and pointed out that Facebook has a failure-reward program open to anyone who finds possible errors on their platforms.