The researcher has found a way to hack Instagram accounts in minutes. As it turns out, a new Instagram login vulnerability that could allow potential hackers to bypass two-factor authentication.
Instagram Login vulnerability detected
As reported in a recent blog post, researcher Laxman Moutia noticed an error that threatened Instagram users. He discovered an Instagram access vulnerability that could allow an attacker to bypass 2FA.
Looking for a possible flaw on the Facebook and Instagram platforms, he checked the endpoint of a forgotten password on Instagram. Although there were no problems with a link to reset the password in the web interface, the mobile platform told a different story.
As with the usual verification method, the platform sent a six-digit password reset code to the user’s mobile number. And, like other codes, the attacker could roughly force the code. The researcher believed that there would be some sort of speed limit to prevent brute force.
While the platform applies a speed limit, it has also noticed two methods to circumvent this restriction: the absence of a blacklist of IP addresses and a competition condition. As stated in his blog,
I could send requests continuously without blocking, although the number of requests I can send in a fraction of the time is limited.
However, it was not as easy as it seems. The researcher explained that the code will expire in 10 minutes. Therefore, to successfully exploit a vulnerability, an attacker must perform an attack using thousands of IP addresses.
While the researcher reported on PoC in his blog post, he also demonstrated the attack in the next video.
Reward of $30,000
Although there were some limitations to prevent a successful attack, the vulnerability was not a small problem. As the researcher explained, the enemy could have the resources to use it.
In a real attack situation, an attacker needs 5000 IP addresses to decrypt an account. It sounds strong, but it’s actually easy if you use a cloud service provider like Amazon or Google. A total attack of one million codes will cost around $ 150.
He reported on Instagram’s Facebook vulnerability, after which Facebook awarded him a reward of $ 30,000.