Major Instagram flaw allowed hackers to hijack ANY account in just 10 minutes
INSTAGRAM recently patched up a critical security flaw that could have resulted in accounts being hacked even if the users hadn't interacted with the cyber criminal.
A 'bug bounty hunter' has detailed how the critical vulnerability can be exploited on his YouTube channel and shown how a remote attacker could reset the password for any Instagram account and take full control.
2
Laxman Muthiyah found the bug and reported it to Instagram.
He then demonstrated to his followers how the password recovery mechanism on the Instagram mobile app could have once allowed hackers to gain access to an account.
This password recovery feature sends a six-digit secret code with a 10 minute expiry date to the mobile number or email address associated with the account so that the user can then use this to gain access.
Unfortunately, this also meant that one out of a million combinations can unlock any account if a hacker bypasses a rate limit set up by Instagram to prevent such attacks by sending multiple brute force requests from different IP addresses.
2
In Muthiyah's YouTube video, he demonstrates how he tries 200,000 different pass code combinations at the same time and does not get blocked.
He received a $30,000 reward from Instagram as part of the company's bug bounty program.
This bug may have been fixed by Instagram now but users are always highly advised to activate two factor authentication so the hackers will find it very difficult to get into your account.
An Instagram spokesperson said: "Our bug bounty program is essential in helping us find and fix areas of vulnerability across our platforms, including Instagram.
"Through this program, a researcher recently found an issue where one could possibly access another person's account by guessing recovery codes used to help people regain access to their Instagram accounts.
"We investigated his findings and found no evidence of abuse, and we have now fixed the issue. We're grateful for this researcher's help in keeping people on our platform safe.”
Instagram – the key facts
Here's what you need to know...
- Instagram is a social network for sharing photos and videos
- It was created back in October 2010 as an iPhone-exclusive app
- A separate version for Android devices was released 18 months later
- The app rose to popularity thanks to its filters system, which lets you quickly edit your photos with cool effects
- When it first launched, users could only post square 1:1 ratio images, but that rule was changed in 2015
- In 2012, Facebook bought Instagram for $1billion in cash and stock
- In 2018, some analysts believe the app is worth closer to $100billion
- In October 2015, Instagram confirmed that more than 40billion photos had been uploaded to the app
- And in 2018, Instagram revealed that more than a billion people were using the app every month
JUICY FRUIT
Apple's top iPhone XS gets rare £150 price cut for Amazon Prime Day
ONE SMALL STEP FOR HAM
Space geek discovers PIG on Mars in NASA pictures of the Red Planet
MODEL CITIZENs
Ancient Rome recreated in exquisite detail in model that took 35 years
tech time
The best tech deals you can find on Prime Day 2019
NO MORE PORN?
What is the UK porn ban, when does it start and can you unlock the new block?
In other news, Facebook and Instagram are getting worse as apps are ‘crashing 281% more’ this year.
Facebook’s secret Bitcoin ‘will be revealed on June 18’ – but experts think it may be used to spy on your purchases.
And, here's how to tell if you’re one of the 25million WhatsApp users with a fake ‘hacked’ version of the app.
Are you concerned about the security of your Instagram account? Let us know in the comments...
We pay for your stories! Do you have a story for The Sun Online news team? Email us at tips@the-sun.co.uk or call 0207 782 4368 . We pay for videos too. Click here to upload yours.
Gloss