Posted on August 27, 2019 at 5:55 PM
Imagine if a cybercriminal had the resources and expertise to take over one million accounts in ten minutes. That’s precisely what Instagram was risking because of a crucial security vulnerability, according to specialist Laxman Muthiyah.
On his Twitter profile, Laxman Muthiyah refers to himself as a web developer, security researchers and “sometimes hacker,” although he is one of the good guys that uses his expertise to spot potential vulnerabilities and reports them to the entity so that they can be fixed on time, even obtaining some bounties for his work.
A Crucial Exploit
Recently, Muthiyah identified a crucial exploit on Instagram, specifically, in the way that the social media and posting network managed the validation of its password reset codes. The vulnerability could have resulted in a hacker requesting one million password reset codes in a 10-minute window with a flawless success percentage.
With the potential vulnerability, there was no need to use any lists or additional tricks to steal and hack Instagram passwords. Instead, the attacker could simply use the system password reset process and breach thousands of accounts.
The specialist had already found a vulnerability in July, one that could allow cybercriminals to hack an account on the platform without consent permission. Facebook (remember, Instagram is owned by the social networking giant) paid him $30,000 for his valuable help, and the problem was quickly fixed. It meant that Instagram uses six-digit password reset codes to validate the operation.
The researcher spotted a way to bypass detection measures for brute-force attacks used by the platform to avoid any external agents to crack the code by taking advantage of easily accessible levels of computing power.
And while the expert had already identified three Facebook vulnerabilities in the past and that was the fourth, he wasn’t going to stop there. As it turns out, he discovered that there could be further takeover vulnerabilities at the password endpoint.
Issues With the Password Reset Code System
Although less severe than the last exploit, Muthiyah shifted his focus to the device ID that Instagram uses as a unique identifier to validate the password reset digits.
He explained that when a person asks for a passcode via his mobile device, a device ID is sent with such request and that the same device ID is then implemented as a way to verify the code.
Since Muthiyah is continually checking for alternative or hypothetical scenarios, he is often creative at the moment of identifying problems and coming up with solutions. Regarding that, he wondered what if the same device ID was used as a way to requests for password reset codes for several accounts? Sadly, that was the case.
Simple math was the only thing required from that point on. The six-digit codes had one million probabilities, so asking codes for 100,000 people from the same device ID would return a 10 percent success percentage.
Yet, if one million user codes were requested, the success rate of the potential hacker could become 100 percent by incrementing the passcode one by one.
A 10-Minute Window
There is a caveat, though. The 10 minutes previously mentioned in the article are because Instagram’s password reset codes last 10 minutes, and after that time has passed, they will expire. However, it could be more than enough time to result in a massive hacking attack. The researcher stated that the attack, then, should be performed under that timeframe.
Facebook security staffers were quick to react and confirmed the potential exploit, and also fixed it on time. The social network informed that Muthiyah had spotted insufficient protections on a recovery endpoint, a situation that would allow a hacker to generate several valid nonces (a cryptography-associated term to refer to an arbitrary number able to be used only once) to try recovery.
The social network handed the “good hacker” a $10,000 bounty as a token of its appreciation for his help.