A security analyst has discovered a vulnerability in Instagram account recovery process which gave him access to a test account.
ΈA security analyst has found a bug in the Instagram account recovery process that may have put many accounts at risk.
Analyst Laxman Muthiyah discovered the error while investigating how the application allows you to regain access to your account after you have forgotten the password. For authentication, Instagram sends a random six-digit number via SMS to the user's phone, which gives access to the account.
The researcher wondered if one could use the technique "Brute Force”To bypass the system. In this method, thousands of random combinations are entered until the correct one is found. In this case the trick worked, but there are specific circumstances that make the whole process quite complicated.
More specifically, Instagram has restrictions on entering these codes. So you have a limit of 250 attempts per IP address to be made within the ten minute time frame.
To guess a six-digit code you have to try about a million different combinations. This number is enough to keep the system safe from a simple user. However Mutiyah found a way to automate the process. Writing a program was able to import huge volumes of random combinations from a list of different IP addresses.
Muthiyah uploaded a video of the attack showing him sending 200.000 different combinations trying to break a test account. "In a real attack, the attacker will need about 5.000 IPs to break the account. It may sound like a big number but in reality it is not difficult. If you use a cloud service from Amazon or Google then it will cost you about $ 150 to make a complete attack of one million passwords. " He said in a related Blog.
The good news is that Instagram has fixed the problem. Mythiyah told PCMag that the application now blocks the number of passwords a user can enter regardless of their IP address.
In an email, Instagram told PCMag: "We have fixed the problem and have not found any exploit. We are grateful to the analyst who helped identify the problem. " Facebook, which owns Instagram, has a program that rewards finding Bugs through Bugcrowd, which donated $ 30.000 to Muthiyah for his discovery.
[the_ad_group id = ”966 ″]