Laxman Muthiyah is a whitehack hacker. A programmer who uses his skills to find failures in the original code of security programs. His kind is also refereed as ethical hackers at times. Facebook recently awarded him $10,000 because he discovered a critical vulnerability that could have been used by potential attackers to break into people’s private Instagram accounts.
The findings of Muthiyah revealed a failure on Instagram’s password recovery process used on smart devices. Specifically, the procedure that asked for a six-digit code confirmation from the users to change the password. It wasn’t that long ago that IG finally updated their network and placed this security measure on the platform, apparently with some bumps on the road.
Rushed Code Brings Problems
Muthiyah found out that Instagram generates random IDs for every device included in the password reset request. This ID also works to check the validation of the code. The programmer discovered that IG allowed the device IDs to be used to ask the network for new codes for multiple user accounts. This would allow hackers to carry out DDOS attacks to obtain the codes on their own quickly.
Muthiyah released a statement saying that a device ID is a unique identifier used by the Instagram servers for validation of password reset codes. If a user requests a password code using their smart devices, the ID of said device is sent with the request. That same ID will be used again to verify the passcode. A regular user may not be aware of it, but someone is always watching online.
The line of code used by Muthiyah looks like this:
POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1
User-Agent: Instagram 188.8.131.52.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)
Accept-Language: en-IN, en-US
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Getting Around a Problem to Fix It
The expert explained that the device ID is string generated randomly by Instagram. When asked what would happen if the same device ID is used to request access codes of large numbers of Instagram accounts, Muthiyah said that he already ran the tests. He realized that the same device ID could be used to ask the servers for multiple password codes from different users. With a combination of six digits, he could get access to a million accounts in a heartbeat.
He illustrated his findings with an example: Any user requests a password code for100.000 users with the same device ID. The user will have a 10% success rate since 100.0000 codes are created for the same device ID. If the user requests the codes for a million users, he will gain instant access to a million accounts of the same device by increasing the password code by one. Even with the 10-minute window to use the code, it can be done according to Muthiyah.
If the name of this ethical hacker sounds familiar, it’s because he’s a very busy man. He reported to Instagram back in July how easy it was to hack their accounts because the rate limit of the platform could be bypassed. He published his findings showing the vulnerability using nearly 200.000 password combinations in a matter of moments without getting blocked. He received a bounty of $30,000 that time as part of Facebook’s bug-hunting program.