Hackers Could Have Broken into Any Instagram Account Through a Flaw in the Password Reset System
Most Facebook users probably have no idea who Laxman Muthiyah is, which is a shame because they have no idea how much he has done to protect their privacy. Laxman Muthiyah is a web developer and security researcher from India who has discovered quite a few serious vulnerabilities in the world's biggest social network. In February 2015, for example, he found out that with the help of an easily obtainable access token and the identification number of a Facebook album, he could delete your photos without your consent. About a month later, he uncovered another flaw in Facebook's mobile applications, which allowed anyone to look at private pictures on your phone.
Muthiyah has discovered a few other Facebook bugs, and he recently decided to take a look at how Mark Zuckerberg's other popular platforms are doing. Instagram was the first on the list, and sure enough, after poking through its password reset mechanism, Muthiyah found a bug which would have allowed motivated hackers to take over any Instagram account they fancy.
Instagram's different password reset mechanisms
Instagram passwords can be reset both through the browser and via the social network's mobile application. In the browser, the mechanism is old-fashioned and simple – you click the "Forgot password?" link, you enter the username of your account, and a password reset link is sent to your email. As long as you have access to your email address, you should be fine.
On mobile devices, things are a bit different. After you initiate the password reset procedure, Instagram sends a text message with a six-digit passcode to the phone number associated with your account. You provide the passcode, and the application lets you assign a new password.
The passcode in the SMS expires after ten minutes, and there is a rate limit on how many wrong codes you can enter from the same IP in a short period of time. The system was designed that way in order to ensure that a cybercriminal can't use brute force to try and guess the six-digit code. That's what the people who had put it in place thought, anyway.
Instagram's spotty brute-force protection
Laxman Muthiyah suspected that there might be a way around Instagram's brute-force protection, and to confirm whether or not this really was the case, he needed to do some reconnaissance. He created a fake account, initiated a password reset procedure, and wrote a script that automatically tried 1,000 different random six-digit codes in quick succession. 750 of them were denied, which gave Muthiyah the rate limit – 250 requests per IP address. He then realized, however, that he could send another 1,000 requests from the same address. The rate limit would once again invalidate three-quarters of them, but the IP would not be blacklisted.
After some more head-scratching, he figured out that if he had control over a large number of IPs and if he could trigger something known as race condition (undesirable behavior from a computer system after it's asked to perform several tasks simultaneously), he could try many different six-digit combinations in a relatively short period of time without hitting the rate limit.
To prove his point, he used 1,000 different IPs to send just under 200,000 requests, and his proof-of-concept video shows that all but 770 of them went through. A six-digit passcode has a total of 1 million possible combinations which means that if attackers can send requests from 5,000 IPs, they can pretty much guarantee the successful brute-forcing of the all-important code.
$150 for taking over a single Instagram account. Is it worth it?
5,000 IPs might sound like a lot, but Muthiyah calculated that thanks to modern cloud services from Amazon and Google, renting a similar number of addresses would cost around $150. Are criminals going to be interested in paying $150 in order to hijack an account of a person who shares their selfies with friends and family? It seems unlikely. If, however, the target is one of the so-called Instagram influencers, the story is different.
We're talking about users with hundreds of thousands or even millions of followers who are ready to click on every link they see. The potential for wreaking havoc is more or less limitless, which is why when Muthiyah learned about the flaw, he got in touch with Instagram immediately, and it must be said that the photo sharing network's response left little to be desired.
The vulnerability was patched quickly, and Laxman Muthiyah was rewarded a $30,000 bounty for finding and relaying the important information. This is the latest in a rather long line of bounties Muthiyah has received for his work. Users should be thankful for his efforts and should hope that he will continue to be one step ahead of the cybercriminals in finding the bugs.