Monday, November 4, 2024
HomeBug BountyCritical Account Take over Vulnerability Allows to Hack Your Instagram Account within...

Critical Account Take over Vulnerability Allows to Hack Your Instagram Account within 10 Minutes

Published on

Malware protection

A security researcher reported a critical vulnerability that allows malicious hackers to hack Instagram account and take complete control of your Instagram account within 10 minutes.

Facebook and Instagram are frequently fixing several vulnerabilities discovered by the internal team and also the bugs reported by external independent security researchers.

The social media giant recently increased the bug bounty for critical flaws such as account take over and remote code execution vulnerabilities.

- Advertisement - SIEM as a Service

Laxman Muthiyah, an independent security researcher from India recently reported a critical account take over a vulnerability that presented in Facebook-owned Instagram that let an attacker gain the One Time Password (OTP) within 10 minutes and it could have to affect billions of Instagram users.

Bypassing the One Time Password to Hack Instagram

Laxman initially tried to figure out this vulnerability in Instagram with web interface by resetting password to the Instagram account, where Instagram deployed very strong link-based password reset mechanism which is not easy to exploit.

But when he tried the same method in the mobile interface that requires to enter users mobile number in order to send the 6 digit passcode (OTP) for resetting the password.

when users requesting the 6 digit OTP, system randomly generating the passcode from one million code combination and send it to users who need to use the passcode within 10 minutes.

We could change any users password and hack Instagram if we could able to try all the one million passcode combination through brute-force attacks but Instagram limits the request to prevent such attacks.

In order to check the possibility, “Laxman sent around 1000 requests, 250 of them went through and the rest 750 requests were rate limited. Tried another 1000, now many of them got rate limited. So their systems are validating and rate-limiting the requests properly.”

Instagram Failed to Blacklist the IP Request

During his Findings, He was able to send the number of request without getting blocked within a fraction of seconds.

According to his report, “After a few days of continuous testing, I found two things that allowed me to bypass their rate-limiting mechanism.

  1. Race Hazard
  2. IP rotation

This could be achieved by Sending concurrent requests using multiple IPs to send a large number of requests without getting limited.  

Since the passcode will expire within 10 minutes, the attacker needs 5000 IPs to check the 1 million passcode combination to hack Instagram Account.

“It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.” Research said.

Facebook and Instagram security team fixed the issue and rewarded him $30000 as a part of their bounty program.

Recently Facebook revealed that they stored tens of millions of Instagram passwords in plain text including thousand of the Instagram password instead of masking it as a human-readable format.

You can also learn Master in Bug Bounty Course online Bundle to enhance advance level Bug Bounty skills to find the vulnerabilities in web applications.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year,...

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Okta Verify Agent for Windows Flaw Let Attackers Steal User Passwords

A newly discovered vulnerability in Okta's Device Access features for Windows could allow attackers...