Facebook-owned photo-sharing platform, Instagram, has recently patched up a vulnerability discovered through its bounty program, which, if left unresolved, would allow hackers to take over accounts of users in a matter of ten minutes.
The vulnerability was discovered by Indian bug bounty hunter Laxman Muthiah, which lies inside the app’s password recovery mechanism implemented by the mobile version of Instagram.
Majority of apps and software has an option to “recover password” or gives the option to user to “reset passwords.” According to Muthiah, a flaw in Instagram’s password recovery mechanism can allow threat actors to hack into an Instagram account.
“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link based password reset mechanism which is pretty strong, and I couldn’t find any bugs after a few minutes of testing,” Muthiah said in a blog post.
Instagram’s mechanism works rather straightforwardly. After a user requests for a password reset (usually in cases where the user forgets his or her password), they have to confirm a six-digit secret passcode (that expires after 10 minutes) sent to their associated mobile number or email account to prove their identity.
However, mathematics suggest that there is, indeed, a finite number of six-digit passcodes and combinations. But the researchers said it isn’t as simple as trying every combination from millions of possibilities, as while this is an arduous process even with the help of a certain tool. Instagram also has limited the number of attempts to prevent hackers from doing so.
“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we can try all the one million codes on the verify-code endpoint, we would be able to change the password of any account. But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it.”
However, Laxman found that this rate limiting can be bypassed by sending brute force requests from different IP addresses and leveraging race condition, sending concurrent requests to process multiple attempts simultaneously.
“Race hazard (concurrent requests) and IP rotation allowed me to bypass it. Otherwise, it wouldn’t be possible. Ten minutes expiry time is the key to their rate limiting mechanism, that’s why they didn’t enforce permanent blocking of codes,” he said.
“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of [requests] and the number of IPs we use. Also, I realized that the code expires in ten minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack,”
During the test, the researcher was able to use 1000 different machines (to achieve concurrency easily) and IPs to send 200,000 requests which 20 percent of total one million probability).
“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”
The discovery of the vulnerability was submitted to Facebook’s bounty program, and Muthiah was granted a bounty of $30,000 for his work. Facebook confirms that the Muthiah’s discovery existed and has started working to fix the vulnerability among others that could potentially put their users at risk.
Facebook’s bug bounty program encourages white-hat hackers to discover and find ways that Facebook’s and its subsidiaries’ system can be exploited.
“Facebook is working constantly to improve its security controls on all of their platforms. As a part of it, they recently increased reward payouts for all critical vulnerabilities, including account takeovers. So I decided to try my luck on Facebook and Instagram. Fortunately, I was able to find one on Instagram,” Muthiah said in his post.