Barely a month after winning $30,000 from Facebook for spotting a security flaw in Instagram, Chennai-based cyber-security researcher, Laxman Muthiyah, claimed to have won a further $10,000 from the tech giant for finding and reporting a new ‘account-takeover vulnerability’ in the photo and video-sharing platform. The new vulnerability was reportedly similar to the one he reported in July and, allowed hackers to access people’s Instagram accounts without their consent.
According to him, the vulnerability arose from the fact that Instagram was not using unique device IDs to validate password-reset codes requested by users. Once he found that the same device IDs were being used to request multiple pass codes of different users, he developed a proof-of-concept demo that showed the flaw can be exploited to hack random Instagram accounts.
Facebook has now fixed the vulnerability following his report, said Muthiyah. “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme”, he said. “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery”, Facebook reportedly said in a letter to Muthiyah.
Muthiyah last month won $30,000 from Facebook for discovering that it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account. “I reported the vulnerability to the Facebook security team and … after a few email and proof of concept video, I could convince them the attack is feasible”, he wrote in a blog post.
With inputs from IANS