Security researcher Laxman Muthiyah shared this news through his blog post that says “Facebook and Instagram security team fixed the issue and rewarded me $10,000 as a part of their bounty program.” According to him, the device ID is the unique identifier used by the Instagram server to authenticate password reset codes. When a user requests a passcode using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the passcode. He further explained that device ID is a random string that is generated by the Instagram app. The same ID can be used to request multiple passcodes of different users. When the 6 digits passcodes are requested of several users this increases the possibility of hacking the accounts. “For example, if you request a passcode of 100 thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID. If we request passcodes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the passcode one by one.” So in order to hack the account, the hacker needs to request codes of 1 million users. Moreover, the expiry of the passcodes is 10 minutes so the entire attack should happen within 10 minutes. He further informed that the account takeover vulnerability has been fixed by the Facebook security team and no one can hack the Instagram accounts using this vulnerability. After this Facebook thanked Muthiyah and awarded him $10,000. In its letter Facebook said “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nuances to then attempt recovery. Thank you again for this report” For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.
