August 27, 2019 at
Imagine if a cybercriminal had the resources
and expertise to take over one million accounts in ten minutes. That’s
precisely what Instagram was risking because of a crucial security
vulnerability, according to specialist Laxman Muthiyah.
On his Twitter profile, Laxman Muthiyah refers to himself as a web developer, security researchers and “sometimes hacker,” although he is one of the good guys that uses his expertise to spot potential vulnerabilities and reports them to the entity so that they can be fixed on time, even obtaining some bounties for his work.
A Crucial Exploit
Recently, Muthiyah identified a crucial
exploit on Instagram, specifically, in the way that the social media and
posting network managed the validation of its password reset codes. The vulnerability
could have resulted in a hacker requesting one million password reset codes in
a 10-minute window with a flawless success percentage.
With the potential vulnerability, there was no
need to use any lists or additional tricks to steal and hack Instagram
passwords. Instead, the attacker could simply use the system password reset
process and breach thousands of accounts.
The specialist had already found a vulnerability in July, one that could allow cybercriminals to hack an account on the platform without consent permission. Facebook (remember, Instagram is owned by the social networking giant) paid him $30,000 for his valuable help, and the problem was quickly fixed. It meant that Instagram uses six-digit password reset codes to validate the operation.
The researcher spotted a way to bypass
detection measures for brute-force attacks used by the platform to avoid any
external agents to crack the code by taking advantage of easily accessible
levels of computing power.
And while the expert had already identified
three Facebook vulnerabilities in the past and that was the fourth, he wasn’t
going to stop there. As it turns out, he discovered that there could be further
takeover vulnerabilities at the password endpoint.
Issues With the Password
Reset Code System
Although less severe than the last exploit, Muthiyah shifted his focus to the device ID that Instagram uses as a unique identifier to validate the password reset digits.
He explained that when a person asks for a
passcode via his mobile device, a device ID is sent with such request and that
the same device ID is then implemented as a way to verify the code.
Since Muthiyah is continually checking for
alternative or hypothetical scenarios, he is often creative at the moment of
identifying problems and coming up with solutions. Regarding that, he wondered
what if the same device ID was used as a way to requests for password reset
codes for several accounts? Sadly, that was the case.
Simple math was the only thing required from
that point on. The six-digit codes had one million probabilities, so asking
codes for 100,000 people from the same device ID would return a 10 percent
Yet, if one million user codes were requested,
the success rate of the potential hacker could become 100 percent by
incrementing the passcode one by one.
A 10-Minute Window
There is a caveat, though. The 10 minutes previously mentioned in the article are because Instagram’s password reset codes last 10 minutes, and after that time has passed, they will expire. However, it could be more than enough time to result in a massive hacking attack. The researcher stated that the attack, then, should be performed under that timeframe.
Facebook security staffers were quick to react
and confirmed the potential exploit, and also fixed it on time. The social
network informed that Muthiyah had spotted insufficient protections on a
recovery endpoint, a situation that would allow a hacker to generate several
valid nonces (a cryptography-associated term to refer to an arbitrary number
able to be used only once) to try recovery.
The social network handed the “good
hacker” a $10,000 bounty as a token of its appreciation for his help.