A hacker received $ 30,000 (just over $ 112,000) as a reward for discovering an Instagram security hole and informing the app about the problem. Indian programmer Laxman Muthiyah found a vulnerability that allowed him to hack into any social network account through the password recovery system. In an article on The Zero Hack blog, he says he could log into any Instagram account if he wanted to. Instagram has confirmed the vulnerability and has already fixed the application crash.
Do you think your Instagram was hacked? See tips for solving
How do I know if I was blocked on Instagram? See tips
The amount Laxman Muthiyah receives from a Facebook fund gives hackers prizes for cracking holes in one of the company's apps and helps the security team create a fix before criminals can exploit it in Internet scams.
The flaw was in Instagram's password recovery system on the phone. When asked to reset a password, the app sends a code via SMS as a means of authenticating the user. The bug that allowed hacking is present in this feature: the hacker was able to find a way to test thousands of combinations until he found the correct key and released password reset.
The secret is an Instagram weakness to block a brute force attack. The social network used a mechanism that prevented it from testing many codes at a short interval. However, the hacker managed to bypass the block using multiple IPs at the same time the application could not distinguish that it was the same hacker and did not apply the limitations of retries.
According to the hacker, it took a thousand IPs to trigger all requests to the servers at the same time and to be able to test as many codes as possible. That done, he could reset his password and hack into any Instagram account in minutes.
Facebook gave US $ reward to developer who discovered Instagram flaw Photo: Divulgao / The Zero Hack
Via The Zero Hack and Facebook Bounty Program