Instagram Login Vulnerability Discovered

As revealed in a recent blog post, the researcher Laxman Muthiyah spotted a flaw that threatened Instagram users. He discovered an Instagram login vulnerability that could let an attacker bypass 2FA.

While looking for a probable flaw within the Facebook and Instagram platform, he tested the Instagram forgot password endpoint. While there seemed no problem with the password reset link on the web interface, the mobile platform told a different story.

Like a usual verification method, the platform sent a six-digit password reset code to a user’s mobile number. And, like other codes, it was possible for an adversary to brute force the code. The researcher believed there would be some rate-limiting to prevent brute-forcing.

Whilst the platform does apply rate-limiting, he also noticed two methods for which to bypass such limiting: the absence of IP blacklisting and a race condition. As stated in his blog,

I was able to send requests continuously without getting blocked even though the number of requests I can send in a fraction of time is limited.

Yet, it was not as easy as it sounds. The researcher explained that the code would expire within 10 minutes. So, to successfully exploit the flaw, an attacker would have to perform the attack using 1000s of IPs.

While the researcher has given the PoC in his blog post, he has also demonstrated the attack in the following video.

$30K Bounty Awarded

Although there were some limitations to potentially prevent a successful attack, the vulnerability was not a small issue. As explained by the researcher, an adversary could have possessed the resources to exploit it.

In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.

He reported the Instagram vulnerability to Facebook, upon which, Facebook awardedhim a bounty of $30,000.

Let us know your thoughts in the comments.