Skip to main content

Hacker gets $30,000 for reporting hack Instagram account flaw

The flaw allowed anyone with knowledge of brute force attack to hack Instagram accounts without raising any suspicion.

How to hack Instagram account? This is something that every Tom, Dick, and Harry wants to know since with over a billion users, Instagram is the world’s largest photo and video-sharing social networking service.
While people are making living out of Instagram, it has also become a lucrative target for hackers and other malicious elements. That is why any vulnerability targeting the social network giant is a big thing and Facebook knows it.
Recently, Laxman Muthiyah, an IT security researcher and bug bounty hunter from India discovered a critical vulnerability in Instagram that would allow an attacker to hack Instagram account without the victim’s knowledge or permission – All that under 10 minutes.
The vulnerability existed in the password reset mechanism of Instagram’s mobile version which, like any other platform, lets users recover their password in case they have forgotten one or when someone tries to access their account maliciously.
Laxman explained the proof of concept of the vulnerability in his blog post according to which Instagram‘s password recovery feature works in such a way that it sends a six-digit passcode to an email account or phone number associated with the account.
Laxman dug further and used a brute-force attack to guess passcode of targeted account against 200,000 codes on the verify-code endpoint. The passcode is useable for 10 minutes after which it expires meaning that the attacker has 10 minutes to breach the account.
However, since Instagram uses rate-limiting feature, such attack was almost impossible to execute. Rate limit feature limits a certain number of activities within a given time. For instance, different Instagram accounts have different rate limits such as some accounts are allowed to 500 to 1000 likes per day, some can follow 200 to 500 accounts per day while some can unfollow 200 to 300 accounts per day.
When it comes to password reset, the rate limit feature blocks users from any misuse of the feature yet Laxman conducted brute-force attack and exploited race condition by “sending concurrent requests using multiple IPs” allowing him to “send a large number of requests without getting limited.”
In a YouTube video, Laxman demonstrated sending 200,000 requests which are 20% of the total one million probability.
“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” said Laxman.
Watch the PoC video below:
Good news is that Laxman participated in Instagram’s bug bounty program and reported the vulnerability to the company who awarded him $30,000. Simply put: the vulnerability has been patched.
If you own an Instagram account, protect it from malicious attacks by keeping a strong password and 2-factor authentication enabled at all times. Furthermore, watch out for surging phishing attacks tricking users into giving away their login credentials.
Labels:

Comments

Post a Comment

Popular posts from this blog

List Of Sql Infected Sites-HACKEREAD

SQL injection  is a  code injection  technique, used to  attack  data-driven applications, in which malicious  SQL  statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).  SQL injection must exploit a  security vulnerability  in an application's software, for example, when user input is either incorrectly filtered for  string literal   escape characters  embedded in SQL statements or user input is not  strongly typed  and unexpectedly executed. SQL injection is mostly known as an attack  vector  for websites but can be used to attack any type of SQL database. List of SQL Infected sites:  http://www.genhound.co.uk/source.php?id=477 http://www.lcoastpress.com/journal.php?id=8 http://www.travellers-tales.co.uk/travelJournal.php?id=42 http://www.arrowvalves.co.uk/content.php?id=8 http://www.reaplasrack.co.uk/content.php?id=129 http://www.arrowval...
Post a Comment
Read more

Google dork list for XSS (Cross- site scripting)-2020

GOOGLE DORK LIST FOR Cross-site scripting -2020 Google Dorks  its also known as google query ,List “Google Hacking” is mainly referred to pull the sensitive information from Google using advanced search terms that help users to search the index of a specific website, specific file type and some interesting information from unsecured Websites. Google Dorks list  2020 can uncover some incredible information such as email addresses and lists, login credentials, sensitive files, website vulnerabilities, and even financial information (e.g. payment card data). Here you can see an example to understand how  Google Darks   password  used by hackers to gain sensitive information from specific websites. You can also use for Exploit DB site to give you according to you Search state. https://www.exploit-db.com/ “ inurl: domain/ ” “ additional dorks A hacker would simply use in the desired parameters as follows: inurl = the URL of a site you want...
Post a Comment
Read more

Popular Android Zombie game phish users to steal Gmail credentials

The app made its way to Google Play Store was also found phishing users for Facebook credentials. Scary Granny ZOMBY Mod: The Horror Game 2019 is the latest game on Google Play Store that is condemned by the digital security fraternity for sneakily stealing personal data from unsuspecting users. The game, which has been downloaded for over 50,000 times, was available for Android devices making Android users its primary target. The malicious app attempts to collect sensitive information such as Facebook and Gmail login credentials. The malicious activities of Scary Granny ZOMBY Mod were detected by the mobile security firm Wandera. The company found out that the app asks users to enter their Gmail or other Google account credentials, which are then used for collecting private data of the user by hijacking the account –  All of this happens, unsurprisingly, without alerting the user. Gmail phishing page on the supposed gaming app (Screenshot: Wandera) Rese...
Post a Comment
Read more