Facebook recently gifted Indian Hacker Laxman Muthiyah with 30k for finding a security flaw in instagram that allowed potential hackers to infiltrate accounts without any cooperation or interaction from the targeted victim.
The vulnerability was in regard to the password recovery system. Muthiyah discovered that hackers could potentially leverage the password reset feature that normally helps people who forgot or lost their password to access their accounts.
According to www.technadu.com:
When a user asks for a password reset, Instagram sends a six-digit passcode to their mobile phone or registered email account, which expires in ten minutes. This is something like a two-factor authentication step that helps the platform affirm that it is the real holder who is asking the password reset. The hacker has figured out that if he sent thousands of simultaneous password reset requests from different IP addresses, he could leverage a race condition and bypass the authentication step. Going from theory to practice, Muthiyah used 1000 different IPs to send 200k requests, just to make his point to Facebook’s security team.
Instagram has become the go-to social media platform for pop-culture influencers and the value of perceived endorsements from high profile users could have made this a highly profitable cybercrime for hackers.