Last month, a researcher elaborated how exploiting a flaw could allow hacking any Instagram account within 10 minutes. Once again, the same researcher has announced another Instagram vulnerability threatening over 1 million accounts.
Latest Instagram Vulnerability Threatening 1M Accounts
Reportedly, security researcher Laxman Muthiyah has discovered another Instagram vulnerability allowing account takeovers. This vulnerability could allow an attacker to hack over 1 million accounts within 10 minutes. Muthiyah has shared the details of his findings in the latest blog post.
As elaborated in his blog post, Instagram issues a unique randomly generated identifier to every device requesting a passcode during the password reset process. This identifier or the Device ID reaches the respective device along with the requested passcode. Then, Instagram uses the same Device ID to verify the passcode.
The researcher meddled with Instagram’s Device ID feature to see if there is a vulnerability. He found that it was possible to request passcodes for multiple accounts on the same devices. In other words, it was possible to link the same Device ID to multiple passcodes for separate accounts. Thus, with the increasing number of passcodes requested, an attacker increases the probability of successful account hacks.
Doing simple math explained in the scenario as stated by the researcher in his blog, for a six-digit passcode, there are one million probabilities (from 000001 to 999999). Thus, the more passcodes an adversary requests, the greater are the chances of successful account takeovers.
“If you request passcode of 100 thousand users using same device ID, you can have 10 percent success rate since 100k codes are issued to the same device ID. If we request passcodes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the passcode one by one.
Eventually, an attacker can achieve a 100% success rate for the attack by requesting one million passcodes from the same device.
Facebook Awarded $10K Bounty
Last month, Muthiyah discovered a vulnerability that could allow an attacker to hack any Instagram account by using thousands of IPs. It was a very serious flaw for which Facebook awarded the attacker a bug bounty of $30,000. Yet, it had a limiting factor – the expiry of passcode within 10 minutes.
In comparison to this earlier flaw, the researcher stated that the new vulnerability is relatively less severe. Like the previous vulnerability, the newly discovered glitch also requires the attacker to conduct the entire attack within 10 minutes. Nonetheless, despite less-severity, the flaw still won the researcher a bug bounty of $10,000 from Facebook. For now, users are safe since Facebook has now patched the flaw.
Let us know your thoughts in the comments.