Popular social media platform Instagram first introduced two-factor authentication back in 2017. Ever since then, the company has been working hard to protect the privacy of users and introduced newer improvements to the security mechanism by adding support for third-party authenticator apps to let users seamlessly access their Instagram account. However, a security researcher had managed to find a vulnerability to bypass the authentication system of Instagram that allowed him to access any Instagram account.
The researcher took it to his blog to explain how he managed to find a flaw that allowed him to hack any account. According to the blog, he had initially tried to test the web interface of Instagram for vulnerabilities and couldn’t find one which led him to explore mobile-based techniques.
Like any other app, Instagram sends a six-digit OTP to reset their passwords in case the user gets locked out of the platform. Laxman Muthiyah decided to dig deep into the behavior of this system by performing a brute-force attack that led him to discover that Instagram did not completely blacklist the IP address from which the requests kept coming. He exploited this issue by writing a script that switches between IP addresses.
Mr. Muthiyah approached this vulnerability by Race Hazard and IP rotation. In case you’re not aware of what Race Hazard is, it is the condition of a system where it misbehaves on getting multiple requests at the same time. He claims that he had used 1000 different machines in his tests to send 200k requests. You can check out the video he uploaded proving his claims below.
He has further stated that in real attacks, the attacker would need around 5000 IPs which can be easily rented from cloud service providers like Amazon or Google in less than 150 dollars. Facebook team acknowledged the vulnerability and rewarded Laxman Muthiyah with a bug bounty of $30000.
Luckily, this got noticed by a security researcher. If this vulnerability had got spotted and exploited by a black hat hacker, it’d have put the privacy of the entire platform at stake. So, what are your thoughts on this? Let us know in the comments.