The flaw allowed anyone with knowledge of brute force attack to hack Instagram accounts without raising any suspicion.
How to hack Instagram account? This is something that every Tom, Dick, and Harry wants to know since with over a billion users, Instagram is the world’s largest photo and video-sharing social networking service.
While people are making living out of Instagram, it has also become a lucrative target for hackers and other malicious elements. That is why any vulnerability targeting the social network giant is a big thing and Facebook knows it.
Recently, Laxman Muthiyah, an IT security researcher and bug bounty hunter from India discovered a critical vulnerability in Instagram that would allow an attacker to hack Instagram account without the victim’s knowledge or permission – All that under 10 minutes.
The vulnerability existed in the password reset mechanism of Instagram’s mobile version which, like any other platform, lets users recover their password in case they have forgotten one or when someone tries to access their account maliciously.
Laxman explained the proof of concept of the vulnerability in his blog post according to which Instagram‘s password recovery feature works in such a way that it sends a six-digit passcode to an email account or phone number associated with the account.
Laxman dug further and used a brute-force attack to guess passcode of targeted account against 200,000 codes on the verify-code endpoint. The passcode is useable for 10 minutes after which it expires meaning that the attacker has 10 minutes to breach the account.
However, since Instagram uses rate-limiting feature, such attack was almost impossible to execute. Rate limit feature limits a certain number of activities within a given time. For instance, different Instagram accounts have different rate limits such as some accounts are allowed to 500 to 1000 likes per day, some can follow 200 to 500 accounts per day while some can unfollow 200 to 300 accounts per day.
When it comes to password reset, the rate limit feature blocks users from any misuse of the feature yet Laxman conducted brute-force attack and exploited race condition by “sending concurrent requests using multiple IPs” allowing him to “send a large number of requests without getting limited.”
In a YouTube video, Laxman demonstrated sending 200,000 requests which are 20% of the total one million probability.
“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” said Laxman.
Watch the PoC video below:
Good news is that Laxman participated in Instagram’s bug bounty program and reported the vulnerability to the company who awarded him $30,000. Simply put: the vulnerability has been patched.
If you own an Instagram account, protect it from malicious attacks by keeping a strong password and 2-factor authentication enabled at all times. Furthermore, watch out for surging phishing attacks tricking users into giving away their login credentials.