Instagram has recently patched a critical vulnerability that would have permitted attackers to compromise any Instagram account without the need of any interaction from the targeted users.
Instagram is a photo sharing network owned by Facebook and is also the most popular social media network in the world after Facebook. Even though most advanced security mechanisms are available, the bigger platforms like Facebook, Google, LinkedIn, and Instagram are not completely immune to hackers and also have several serious vulnerabilities.
A critical vulnerability which has been patched recently could have let a remote attacker to reset the password for any Instagram account and take total control over it.
The vulnerability which existed in the password recovery mechanism implemented by the mobile version of Instagram was discovered and reported by Indian bug bounty hunter Laxman Muthiyah.
The “password reset” or “password recovery” feature allows a user to get access to their account on a website if they happen to forget their password.
In Instagram, users need to confirm a six-digit secret passcode (which expires after 10 minutes) that has been sent to their associated mobile number or email account in order to verify their identity.
This means one out of a million combinations can unlock any Instagram account using brute force attack, even though it is not an easy task as Instagram has rate-limiting enabled to prevent such attacks.
But the researchers found that this rate limiting can be bypassed by sending brute force requests from different IP addresses and leveraging race condition, sending concurrent requests to process multiple attempts simultaneously.
Laxman successfully demonstrated the vulnerability to hack an Instagram account by quickly attempting 200,000 different passcode combinations (20% of all) without getting blocked. This is shown in the video below.
A attacker needs at least 5000 IPs to hack an account which is easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.
Laxman also released a proof-of-concept exploit for the vulnerability, which has now been patched by Instagram. The company awarded Laxman with $30,000 reward as part of their bug bounty program.
In order to protect your accounts from attacks and to reduce the rate of being compromised it is always advised to enable two-factor authentication, that can prevent the attackers from accessing your accounts even if they gets your passwords.