A researcher found that it was possible to subvert the platform’s password recovery mechanism and take control of user accounts
An independent researcher has found a security loophole in Instagram’s mobile password recovery flow that could have allowed attackers to break into user accounts.
The flaw, discovered and reported by India-based researcher Laxman Muthiyah, has since been fixed by Instagram’s owner, Facebook. The researcher, meanwhile, received a bug bounty payout of US$30,000 for his work.
Muthiyah, who has a history of spotting bugs in Facebook, said that his latest bug hunting effort was prompted by Facebook’s recent decision to increase payouts for vulnerabilities that can lead to account takeovers. Instagram’s web interface with a link-based password reset is not susceptible to the vulnerability.
As described in this posting and demonstrated in this proof-of-concept video, the security hole had to do with how the photo-sharing service enabled users to regain access to their accounts in case they’d forgotten their password.
As part of the password recovery process, you receive a six-digit code to your recovery phone number that you’re asked to enter into the app as a way of validating your identity. The code expires after 10 minutes and Instagram has additional safeguards in place in order to foil brute-force attacks at the code, where ne’er-do-wells would try to ram their way in by trying out all possible combinations in a bid to arrive ..
Support the originator by clicking the read the rest link below.
