In The News

Instagram vulnerability could have let attackers access any account

A security researcher found a serious vulnerability that would potentially allow a cyber-crook to access any Instagram account they wanted without the owner’s permission.

The researcher, Laxman Muthiyah (the same researcher that found flaws that could leak your private Facebook photos, or allowed someone to delete your photos) discovered a serious flaw in a feature that allows Instagram users on smartphones to recover their accounts if they forget their password.

How did the vulnerability work?

If an Instagram user forgets their password, they can click a “forgot password” link, and choose to have a recovery code sent to their phone or email, which they then enter into Instagram which allows them to reset their password and regain access to the account.

The recovery code is sent to a user’s own email or phone number, it can be any number between zero and 999,999, and it’s only valid for 10 minutes before it expires.


Sponsored Content. Continued below...




Muthiyah also discovered that after around 200 attempts at guessing the recovery code, Instagram would stop allowing any more attempts, meaning Muthiyah could only guess around 0.02% of the possible recovery code permutations before having the door closed shut.

From a security standpoint, this all looks pretty good so far.

However Muthiyah dug deeper into the 200 guess limit, and investigated how exactly Instagram was capping the number of guesses. You might have thought that Instagram simply wouldn’t allow 200 recovery code guesses to be directed as the same Instagram account, but you’d be wrong.

In reality, it was all down to Muthiyah’s own IP address. Instagram wouldn’t allow more than 200 recovery code guesses to derive from the same IP address. But if you could change the IP address after every 200 guesses, then problem solved.

Of course none of this could be done manually. The recovery code only lasts 10 minutes. So Muthiyah wrote software that would harness the power of 1000 different IP addresses (something that can be achieved by using a cloud provider from Google or Amazon for around $150, or crooks may very well have access to a botnet – that’s a network of computers infected with malware) that would all concurrently make 200 recovery code guesses each. That’s 200,000 recovery code guesses within the ten minute timeframe.

Okay, 200,000 is still only 20% of the possible permutations a recovery code could be, but Muthiyah had proved that this method of accessing an Instagram account was possible. If a crook could harness the power of 5000 different IP addresses instead of Muthiyah’s 1000 – something that was entirely possible with the right resources or amount of money – then they could attempt all one million possible recovery code permutations, and in effect guarantee access to any Instagram account they targeted.

Okay, most attackers are probably not keen enough to go through all that rigmarole and possible expense to gain unlawful access to the Instagram of the average Joe. But there plenty of potential scenarios where attackers would happily launch such an attack based on this vulnerability.


Sponsored Content. Continued below...




For example, gaining access to an Instagram account of an influencer or celebrity with millions of followers. Access to such a high profile account would inevitably have a number of possible pay-offs for a crook.

Or perhaps a personal vendetta again someone you know, such as an ex. What better way of exacting revenge than deleting all the photos from a beloved Instagram account? Even if the attacker themselves does not have a target in mind, they’d most likely have little problem taking a fee from someone technically-less-inclined who does.

Facebook – who own Instagram – agreed that this was a significant vulnerability. Muthiyah was enrolled on the official bug bounty program offered by Facebook, and received a $30,000 payout when he submitted the vulnerability to Facebook.

Facebook in turn have reportedly resolved the vulnerability already – probably by capping the number of recovery code guesses on a target account basis as opposed to an IP address basis. There is also no evidence that this vulnerability had been used by attackers. That means there is nothing for you Instagram users to do. The problem has been resolved.

Share
Published by
Craig Haley