The Facebook offered 10.000 $ to a researcher-white hat hacker, named Laxman Muthiyah, as he discovered one critical vulnerability that could be used by malicious people hackers for hacking Instagram accounts.
The problem was detected on Instagram mobile password recovery process Appliances. When someone wants to reset their password, a six-digit code is sent to the phone.
The social networking platform uses a mechanism to prevent brute-force attacks aimed at obtaining this code.
Muthiyah discovered that Instagram randomly generates one ID for each device, which is included in the password reset request access. Also, this ID is used to check the validity of the code.
The researcher found that Instagram has allowed the same device ID to be used for many different user accounts. This can help hackers to perform brute-force attacks and obtain the six-digit codes.
“As you can see in my previous post, Device ID is the only identifier used by the Instagram server to validate passwords used to reset the password. When a user requests a password using their mobile device, a device ID is sent along with the request, "the researcher wrote. "The same device ID is used for password verification".
“Device ID is a random string created by application Instagram, "he said.
The white hat hacker explained that there are a million combinations for an 6 password (000001 to 999999). The probability is likely to increase hacking Instagram accounts demanding that multiple user passwords be reset.
Using the same device ID, the malicious hacker could obtain the six-digit code of thousands of users.
Facebook offered Muthiyah 10.000 dollars as a reward for his findings.
Muthiyah had received a Facebook 30.000 dollar remuneration under his own bug bounty program of.
In the past, the same researcher had received other remuneration from the debugging platform, which could delete videos and photos of users.