Instagram bug found by Indian security researcher let him hack into any account

Indian security researcher Laxman Muthiyah recently found a bug in the Instagram app, which allowed him to hack into any account on the platform. Muthiyah reported the bug to Instagram, and as part of a bug bounty programme, Instagram awarded him with $30,000. Muthiyah said that the vulnerability allowed him to “hack any Instagram account without consent permission”, IANS reported. He said that the hack was as simple as initiating a password reset, requesting for a recovery code, or quickly trying out possible recovery codes against the account. [caption id=“attachment_6606511” align=“alignnone” width=“1024”]  Stock image of Instagram. Image: Reuters[/caption] “Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn’t find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour,” Laxman Muthiyah  wrote in a blog post. “I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible." Instagram’s team has since fixed the bug. In the past, Muthiyah also spotted the data deletion snag and a data disclosure bug for Facebook. The first bug had the potential to corrupt all your photos without knowing your password, while the second could trick you to install an innocent-looking mobile app, which could sneak into all your photos without even granting the access to your account.