Instagram bug found by Indian security researcher let him hack into any account

As part of a bug bounty programme, Instagram awarded Muthaiya with $30,000.


Indian security researcher Laxman Muthiyah recently found a bug in the Instagram app, which allowed him to hack into any account on the platform. Muthiyah reported the bug to Instagram, and as part of a bug bounty programme, Instagram awarded him with $30,000.

Muthiyah said that the vulnerability allowed him to “hack any Instagram account without consent permission”, IANS reported.

He said that the hack was as simple as initiating a password reset, requesting for a recovery code, or quickly trying out possible recovery codes against the account.

Instagram bug found by Indian security researcher let him hack into any account

Stock image of Instagram. Image: Reuters

“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn’t find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour,” Laxman Muthiyah wrote in a blog post.

“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible."

Instagram's team has since fixed the bug.

In the past, Muthiyah also spotted the data deletion snag and a data disclosure bug for Facebook. The first bug had the potential to corrupt all your photos without knowing your password, while the second could trick you to install an innocent-looking mobile app, which could sneak into all your photos without even granting the access to your account.

 

Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.