Recently Facebook aimed to improve overall service functioning and launched the bug hunting program. It relates to all brands they run. By this, FB announced that they would give a munificent reward to brainiacs who will find the shortcomings of their services.
Thus, the security expert from India, Laxman Muthiyah discovered a vulnerability on Instagram and managed to hack a profile effortlessly. Muthiyah said that he found a weak place in the password recovery protocol. By this, he figured out how to get the key to any account. Also, he posted the step-by-step instruction of his actions with screenshots in a Zero Hack blog.
It’s all about the verification and he managed to bypass it. He used thousands of IP-addresses to send the code request which comes on user’s smartphone or e-mail to confirm the owner identity. He made it 200,000 times and received the same number of codes to get account access. The system gives 10 minutes to receive and enter the code, he managed to match the account-code pair and succeeded. Of course, some specific programs are needed to carry out the account takeover, but it’s a question of $150, as Laxman stated in his article.
The specialist exposed the details of his Instagram experiment so that Facebook team could fix the vulnerability. In return, the researcher got the $30,000 bounty for the bug detection.