Listen Live
    Hacker call

    This Instagram Loophole Allowed Hackers to Take Over Your Account in Less Than 10 Minutes

    CC0
    Tech
    Get short URL
    0 60

    Instagram has fixed the bug and paid out a $30,000 reward to the man that found and reported the flaw. He said it would cost $150 to perform an attack that he staged.

    A critical vulneravility has been exposed on Instagram that allowed for the hijacking of a person’s account without their consent within 10 minutes.

    Web developer and security researcher Laxman Muthiyah has recounted on his tech blog, The Zero Hack, how he revealed the flaw.

    When users want to reset their password or regain access to their account on Instagram, the service asks them to enter a six-digit security code sent to their linked mobile number or e-mail.

    This means that one has to guess one of the one million possible combinations to take over someone else’s Instagram account.

    The code should be used within a 10-minut timeframe; moreover, Instagram has rate-limiting protection in place to prevent hacks (i.e. it limits the number of requests an IP address can make).

    But Laxman found that this feature can be bypassed by a brute-force attack from multiple IP addresses, sending concurrent requests without getting limited.

    He said: “In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that's actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes".

    Laxman reported the vulnerability to Facebook, which owns the photo-sharing service. The company has since patched the bug and rewarded Laxman $30,000 as part of its Bug Bounty programme.

    Community standardsDiscussion
    Comment via FacebookComment via Sputnik