A security researcher uncovered a bug in Instagram’s account recovery process that could’ve been used to break into people’s accounts.
Researcher Laxman Muthiyah found the bug while investigating how the social media app lets you regain access to your account in the event that you’ve forgotten your password. To prove your identity, Instagram can send a six-digit random code to your smartphone via SMS message. You’ll then be asked to input the digits into the app.
Muthiyah wondered if anyone could “brute force” the process by inputting a huge number of combinations to try and guess the right code. As it turns out, you can, under certain conditions.
Instagram has some restrictions on inputting codes into the account recovery process. They include rate-limiting the number of guesses to 250 per IP address. The guesses must also be made within a 10-minute window.
Figuring out a six digit code means there are a million different total combinations to try. That’s far too many for any human to input. However, Muthiyah found he could automate a brute-force attack against Instagram through its API. He did this by writing a programming script to concurrently input a massive number of guesses over a rotating list of IP addresses.
Muthiyah uploaded a video demonstrating the attack, which shows him sending 200,000 guesses to break into an Instagram test account. “In a real attack scenario, the attacker needs 5,000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around $150 to perform the complete attack of one million codes,” he wrote in his blog post.
The good news is that Instagram has fixed the bug. Muthiyah told PCMag the app now blocks the number of passcode guesses you can send, even when using multiple IP addresses. “Hence one can’t send all the possibilities within 10 minutes,” he said in a chat over Facebook Messenger.
So far, Instagram hasn’t commented on the vulnerability. But it’s parent, Facebook, has a bug bounty program through Bugcrowd, which awarded Muthiyah $30,000 for finding the vulnerability.
It isn’t clear if anyone else discovered the account recovery flaw, but Muthiyah said it would’ve required some thorough investigative hacking.