Recently, an Indian bug bounty hunter discovered a critical vulnerability in Instagram that can allow hackers to take complete control of anyone’s account. Read on to know more…
Recently, Facebook-owned photo and video-sharing social networking service, Instagram was found vulnerable to hackers. The security vulnerability could allow remote attackers to reset the passwords for any Instagram account and take complete control of it.
Discovered and reported by an Indian bug bounty hunter Laxman Muthiyah, the vulnerability resided in the ‘password recovery’ feature of the mobile version of Instagram. He then demonstrated to his followers how the password recovery mechanism on the Instagram mobile app could have once allowed hackers to gain access to an account.
The Security Vulnerability
The ‘password reset’ or ‘password recovery’ is a feature in Instagram that enables users to regain access to their accounts in case they forget their password. Recovering an Instagram account on mobile requires a user to provide a six-digit passcode to prove the user’s identity. The passcode is sent to the associated mobile number or email account.
Muthiyah noted that this passcode is one out of a million combinations which could let attackers unlock any Instagram account using brute force attack. Although Instagram’s rate-limiting characteristic could prevent such attacks, Muthiyah further found that this rate-limiting could be bypassed by sending brute force requests from different IP addresses and leveraging race condition. This allowed the attackers to send concurrent requests to process multiple attempts simultaneously.
“My tests did show the presence of rate limiting. I sent around 1000 requests, 250 of them went through and the rest 750 requests were rate limited. Tried another 1000, now many of them got rate limited. So their systems are validating and rate limiting the requests properly,” said Muthiyah in a blog post.
So, what exactly caused the bypass of the rate-limiting mechanism? During the investigation, it was found that there were two things that allowed the bypass of the rate-limiting mechanism; ‘Race Hazard’ and ‘IP rotation’.
“Race hazard (concurrent requests) and IP rotation allowed me to bypass it. Otherwise, it wouldn’t be possible. 10 minutes expiry time is the key to their rate limiting mechanism, that’s why they didn’t enforce permanent blocking of codes,” Laxman told The Hacker News.
In Muthiyah’s YouTube video, he demonstrates how he tries 200,000 different pass code combinations at the same time and does not get blocked. “In a real attack scenario, the attacker needs 5,000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around $150 to perform the complete attack of one million codes,” he wrote in his blog post.
Muthiyah has released a proof-of-concept for the vulnerability, which has now been patched. Meanwhile, users are advised to enable ‘two-factor authentication’ which could prevent hackers from accessing their accounts even if they manage to steal the passwords.