Vulnerability on Instagram’s Password reset system.
A bounty Hunter by the name Laxman Muthiyah used his skill ( not the type you see and hear of that tracks down bail jumpers and all that ) to collect bug bounties – money companies pay to hackers who look for and find bugs and report the companies.
An account breaking bug was found in the mobile version of the Instagram app’s password reset system. When an account owner or visitor tries to validate an account identity by sending the usual 6 digit code to the account’s recovery number.
In the hands of a skilled hacker the code is and can be manipulated like a child play with dinky toys. That’s why Instagram has a system that can detect brute-force attacks. Muthiyah found that out of 1,000 attempts around 75% were blocked.
There’s something called a race condition. A nasty situation where a computer tries to process a lot of requests all at the same time. With a lot of attempts from Muthiyah, an end run was inflicted on Instagram’s brute Force blocker.
He flooded the Instagram with over 200k + codes from over a thousand different IP addresses. Sounds crazy or very difficult right ? Naa. It’s actually possible with a few cloud-based tools.
He’s been doing this for a while now. Being the fourth, he’s been working with Facebook, (and Instagram) to find bugs in their service. This time it cost Facebook $30,000. Thanks to him, Facebook has fixed that bug and further made us all safer online.