Instagram has recently addressed a critical vulnerability that could have allowed attackers to completely take over any account without user interaction.
The news was first reported by TheHackerNews, the issue was reported to the Facebook-owned photo-sharing service by the Indian security expert Laxman Muthiyah.
According to Muthiyah, the flaw affects the “password reset” mechanism implemented by Instagram for the mobile version of the service. When
The expert focused its test on the maximum number of requests allowed and discovered the absence of blacklisting. He was able to send requests continuously without getting blocked even when he reached the maximum number of requests he can send in a fraction of time.
“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password.
Finally, he discovered two things that allowed him to bypass their rate limiting mechanism, a race condition and the IP rotation.
“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited.” explained the expert. “The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. “
Summarizing the rate limiting can be bypassed by carrying out a brute force attack from different IP addresses and leveraging race condition, sending concurrent requests.
The expert also published a video PoC of the attack that shows the exploitation of the flaw while hacking an Instagram account using 200,000 different passcode combinations without being blocked.
Laxman Muthiyah received by the company a $30,000 reward as part of its bug bounty program.