Instagram is one of the most popular social media platforms among people from all over the world. It is a network for all sorts of creators, from providing unique beauty tips to earn revenue through vlogs, it is used by all sorts of users. The amount of user engagement in this platform dominates all other major apps.
We live in a digital world where people use a variety of social platforms to utilize according to their requirements.
Although there are numerous amount of platforms the main reason any app succeeds is by building a strong trust with the users. One of the major issues various companies face is lacking data security. People feel more comfortable on a platform where they know their content is secured from all sorts of malicious attacks.
The flaw in Instagram’s password recovery option
The “password reset or recovery” is a feature that enables users to regain access to their account in case they forget their password. Instagram users have to confirm a six-digit secret code that expires after 10 minutes sent to their specified phones or email account in order to confirm their identity.
Recently an Indian bug bounty hunter Laxman Muthiyah discovered a vulnerability in the password recovery phase of the mobile version of Instagram. According to Laxman, Instagram’s rate-limiting feature can be bypassed by sending a huge amount of requests from various IP addresses and by sending multiple requests to process simultaneously.
Laxman successfully demonstrated the vulnerability to hijack Instagram by attempting 200,000 different passcode combinations without being blocked.
Real-time attack scenario
In a real attack, the attacker requires around 5000 IPs to hack an account which can easily be done by using a cloud service provider like Amazon or Google costing less than 150 dollars to complete attack of one million codes.
Also read: The Privacy of Millions of Email Accounts at Stake
Laxman was rewarded $30,000 by Facebook Bug Bounty Program when he released a proof-of-concept exploit for the vulnerability. Facebook has also featured Laxman Muthiyah's name in the 'Facebook Hall of Fame' page for this year. This flaw could have enabled bad actors to hack any Instagram account without requiring any sort of interaction with the users.
Although Instagram tries to maintain advanced security mechanisms in place it is still not completely immune to hackers. Some loopholes were recently updated with Instagram’s new updates other vulnerabilities are being fixed for now.
Today on the internet only one vulnerability of Instagram surfaced that could’ve allowed any hacker to reset the password and take any Instagram account easily. Although Instagram tries hard to always secure the data of its users there are still so many loopholes unidentified and the only way to not be a victim of these malicious attacks is by enabling “two-factor authentication” which could help prevent hackers from accessing your accounts even if they steal the passwords.
Source : Digitalinformationworld