A security researcher recently discovered a serious vulnerability that could potentially have compromised any Instagram account.
As Facebook and Instagram offer high rewards to those who discover vulnerabilities in their accounts, an Indian security researcher, Laxman Muthiyah, has chosen to look at the Instagram platform.
Muthiyah investigated whether there may be a vulnerability in the process of handling password reset requests for users who have forgotten it.
The researcher found that when users request a password reset via the Instagram link, the site sends an email to the user.
After testing, Mutiyah was unable to find any security gaps in the process, so he turned his attention to how smartphone users regain access to their Instagram accounts.
What he found was that Instagram enabled locked users to request a six-digit security code sent to their cellphone or email. If this password is entered, the user will be able to regain access to their Instagram account.
Theoretically, if a hacker could access the six-digit security code, it could break the Instagram account (and reset the password while locking the rightful owner).
This password could have been stolen if a hacker managed to access the victim’s email account or if he had taken control of his victim’s cell phone via the SIM swap scam method. However, Mutiyah wondered if there could be another way to break an account if none of these options were available.
Mutiyah realized that it was enough for the hacker to provide the correct six-digit code – which is any combination between 000000 and 999999 – before the ten minutes that code was allowed to expire.
These numbers require approximately one million numbers to be entered within ten minutes in order to be able to change the password of an Instagram account.
Instagram likes can run code that quickly gives different code combinations until the right one is found. As a defense mode, the platform has the ability to detect this movement and constantly slows down subsequent attempts until the ten minute timeout has elapsed.
In his tests, Mutiyah saw that out of the 1000 attempts he made to guess the security code of an Instagram account, he had an immediate response of 250 while in the following 750 the response was delayed.
However, after a few extra days of testing, the researcher was able to discover that the Instagram response delay mechanism could be overridden if the IP address of the sending computer was changed (in other words, not using the same computer to suggests recovery code)
“Sending concurrent requests using different IP addresses allowed me to send a large number of requests without a time limit on the response. The number of requests we can send depends on the number of simultaneous requests and the number of IP addresses we use. As the code expires in 10 minutes, this makes the attack even more difficult. Eventually we needed about 1,000 IPs to complete the attack. “
Mutiyah says he used 1,000 different machines and IPs to succeed the attack and sent around 200,000 requests to his tests. He even created a YouTube video to prove his attack.