Home Hacking News Instagram Login Vulnerability Could Allow Account Takeover in Minutes
Hacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

Instagram Login Vulnerability Could Allow Account Takeover in Minutes

by Abeerah Hashim
written by Abeerah Hashim
Instagram bug allowed changing reel thumbnail

A researcher has found a way to break into Instagram accounts within minutes. As discovered, an Instagram login vulnerability could let potential hackers bypass two-factor authentication.

Instagram Login Vulnerability Discovered

As revealed in a recent blog post, the researcher Laxman Muthiyah spotted a flaw that threatened Instagram users. He discovered an Instagram login vulnerability that could let an attacker bypass 2FA.

While looking for a probable flaw within the Facebook and Instagram platform, he tested the Instagram forgot password endpoint. While there seemed no problem with the password reset link on the web interface, the mobile platform told a different story.

Like a usual verification method, the platform sent a six-digit password reset code to a user’s mobile number. And, like other codes, it was possible for an adversary to brute force the code. The researcher believed there would be some rate-limiting to prevent brute-forcing.

Whilst the platform does apply rate-limiting, he also noticed two methods for which to bypass such limiting: the absence of IP blacklisting and a race condition. As stated in his blog,

I was able to send requests continuously without getting blocked even though the number of requests I can send in a fraction of time is limited.

Yet, it was not as easy as it sounds. The researcher explained that the code would expire within 10 minutes. So, to successfully exploit the flaw, an attacker would have to perform the attack using 1000s of IPs.

While the researcher has given the PoC in his blog post, he has also demonstrated the attack in the following video.

$30K Bounty Awarded

Although there were some limitations to potentially prevent a successful attack, the vulnerability was not a small issue. As explained by the researcher, an adversary could have possessed the resources to exploit it.

In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.

He reported the Instagram vulnerability to Facebook, upon which, Facebook awarded him a bounty of $30,000.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses