Indian security researcher spots another Instagram bug, gets $10,000 as reward

Instagram bug allowed the same device ID to be used to request multiple passcodes of different users.


Just a month ago, Indian security researcher Laxman Muthiyah found a bug in the Instagram app, reporting which he was rewarded $30,000 by the platform as part of its bug bounty program. Once again, Muthiyah has reported another 'similar' issue with the platform and has this time bagged $10,000 in reward.

In his blog post, Muthiyah wrote that the new spotted bug in Instagram allowed the same device ID — the unique identifier used by the Instagram server to validate password reset codes — to be used to request multiple passcodes of different users. This made Instagram accounts vulnerable to be exploited.

Indian security researcher spots another Instagram bug, gets ,000 as reward

Stock image of Instagram. Image: Reuters

This vulnerability, he points out, is similar to the one he reported in July, which allowed him to “hack any Instagram account without consent permission”. He had said that the hack was as simple as initiating a password reset, requesting for a recovery code, or quickly trying out possible recovery codes against the account.

When Muthiyah posted about the bug on his blog, the issue had already been fixed by Facebook. "Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme," Muthiyah wrote.

In the past, Muthiyah also spotted the data deletion snag and a data disclosure bug for Facebook. The first bug had the potential to corrupt all your photos without knowing your password, while the second could trick you to install an innocent-looking mobile app, which could sneak into all your photos without even granting the access to your account.