How your Instagram account could have been hijacked

An independent researcher has found a security loophole in Instagram’s mobile password recovery flow that could have allowed attackers to break into user accounts.

The flaw, discovered and reported by India-based researcher Laxman Muthiyah, has since been fixed by Instagram’s owner, Facebook. The researcher, meanwhile, received a bug bounty payout of US$30,000 for his work.

Muthiyah, who has a history of spotting bugs in Facebook, said that his latest bug hunting effort was prompted by Facebook’s recent decision to increase payouts for vulnerabilities that can lead to account takeovers. Instagram’s web interface with a link-based password reset is not susceptible to the vulnerability.

As described in this posting and demonstrated in this proof-of-concept video, the security hole had to do with how the photo-sharing service enabled users to regain access to their accounts in case they’d forgotten their password.

As part of the password recovery process, you receive a six-digit code to your recovery phone number that you’re asked to enter into the app as a way of validating your identity. The code expires after 10 minutes and Instagram has additional safeguards in place in order to foil brute-force attacks at the code, where ne’er-do-wells would try to ram their way in by trying out all possible combinations in a bid to arrive at the correct one. With six digits from 0-9, there would be no fewer and no more than a million possibilities to try.

Still, Muthiyah demonstrated that the process could be subverted.

The good thing is that the photo-sharing service puts a cap on the number of attempts that can be made from a particular IP address within the 10-minute window. As a result, Muthiyah initially found that only 250 out of 1,000 requests he’d sent eventually went through while the rest ended up rate-limited, or effectively denied.

However, he realized that he “was able to send requests continuously without getting blocked”, even though the number of requests sent within a time span was indeed restricted.

“After a few days of continuous testing, I found two things that allowed me to bypass their rate limiting mechanism,” he said. The two things were a race hazard and an IP rotation. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited,” he said.

Long story short, Muthiyah co-opted 1,000 IP addresses from cloud-based services for the task and tried out 200,000 code combinations against a test account.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” he wrote. Generally speaking, brute-force techniques are also associated with botnets.

In conclusion, on top of using a strong and unique password to access (not only) your Instagram account, it’s always best to rely also on an extra authentication factor, and the platform recently its two-factor authentication options. Last month, the site also announced the testing of a new in-app process for users to regain access to accounts that have been overtaken by cybercriminals.

16 Jul 2019 – 05:36PM