Indian security researcher Laxman Muthiyah recently found a bug in the Instagram app, which allowed him to hack into any account on the platform. Muthiyah reported the bug to Instagram, and as part of a bug bounty programme, Instagram awarded him with $30,000.
Muthiyah said that the vulnerability allowed him to “hack any Instagram account without consent permission”, IANS reported.
He said that the hack was as simple as initiating a password reset, requesting for a recovery code, or quickly trying out possible recovery codes against the account.
“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn’t find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour,” Laxman Muthiyah wrote in a blog post.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible.”
Instagram’s team has since fixed the bug.
In the past, Muthiyah also spotted the data deletion snag and a data disclosure bug for Facebook. The first bug had the potential to corrupt all your photos without knowing your password, while the second could trick you to install an innocent-looking mobile app, which could sneak into all your photos without even granting the access to your account.