This Chennai-Based Guy Got Rs 7.2 Lakh For Finding Another Flaw In Instagram

A security researcher in Chennai named Laxman Muthiyah was rewarded $30,000 by Facebook for detecting a flaw in Instagram the previous month.

He continued his streak with another exploit spotted in the Instagram app. It allowed attackers to remotely get access to a personal account on the platform.

According to Muthiyah, the newly-detected flaw resembles the one he found in July. Both allow attackers to hack into an Instagram user's account without their knowledge. Facebook claimed they have fixed the problem and gave Muthiyah $10000 (equivalent to Rs 7.2 lakh) as a reward for his feat.

Muthiyah shared:

If users are locked out of their accounts, Instagram will refer to the device ID for reset codes validation. When you ask for a passcode on your mobile phone, the request would go along with your device ID which is then used to verify your passcode

The ID is a combination randomly generated by Instagram. Muthiyah realized that one device ID could be employed to ask for passcodes for several accounts. The rest code is a string of six digits, so a hacker equipped with a bot can easily try out a million combinations for the correct password.

Instagram would not allow unlimited attempts. If you fail to enter the correct code after 200 tries, the app will lock you out. You are only given ten minutes to type in the reset password. So by requesting several resets at one time and try every number possible on them at the same time, the chances to succeed are higher. Unfortunately, Instagram does allow that and Muthiya suggested that it has to be changed.

The identified flaw gave Muthiya a way around the limited 200 tries since that can change by adjusting your IP address.