Information security researcher Laxman Muthiyah posted on his blog how he could have hacked Instagram within 10 minutes. Despite the fact that Facebook, which owns Instagram, is constantly trying to improve security and prevent outside interference.
The expert has discovered a vulnerability in the password recovery system for his Instagram account. The fact is that when the user enters a phone number to restore access to their profile, Instagram sends them a six-digit numeric code. The user(s) must then enter the numeric code so as to confirm their identity.
Muthiyah Laxman decided that if he could try a million different codes at this stage, then one would definitely fit. This would lead to a change of password for any Instagram account.
Nevertheless, the expert rightly decided that Instagram would surely have protection against such an attack head-on.
Indeed, Instagram limited the number of shift requests that a user can send. Then, by means of calculations, Muthiyah found that for a successful hack he would need 5 thousand IP addresses, each of which would send 200 thousand requests. According to the hacker, it is not so difficult to implement, if you use a cloud service like Google or Amazon. In this case, the entire attack will cost an attacker 150 USD.
Muthiyah Laxman sent his research to the Facebook administration, which was convinced of the insecurity of the existing system. As follows from the letter sent by the leadership of the social network, the vulnerability to Instagram was eliminated. Muthiyah himself received thirty thousand USD in reward as a “bug bounty”. This was a compensation for the identified security loophole.
The expert also gave some tips to those who use Instagram to protect themselves and their data.
He recommends that you regularly change your password, use only unique and diverse combinations, and also use two-factor identification so that any account manipulations are performed only with the approval of the user.
In May this year, it became known about the massive leak of personal information of bloggers and celebrities from Instagram. A total of about 50 million people suffered from it. A database containing the data of millions of Instagram stars using the popular photo hosting platform (instagram) was discovered on the Internet. This database, located in the public cloud of Amazon Web Services, was in the public domain and was available to everyone.
As it turned out, each of the entries contained personal data from Instagram bloggers and influenza fans. This included their biography, profile photo, number of followers, geolocation, as well as email and mobile phone number.
Shortly after the leak was talked about in the foreign press, the database went offline. Afterwards, Facebook announced the launch of its own investigation.
“We will conduct an investigation in order to understand where the data, including email addresses and phone numbers, came from . Whether it’s from Instagram or other sources. We will also contact Chtrbox to find out where they got this information from and how it was made publicly available, ”Facebook said in an official statement.
In June, the Instagram management reported on simplifying the procedure for recovering an account after hacking. The new system will ask the user a number of questions that will be able to confirm his identity. For example, the initial email address (if the hacker changed it) or the phone number. Then the user will receive a six-digit code to restore the account.
This method will help to return the profile to the owner, even if the attackers change all contact information to new ones, in order to complicate the restoration.
The news was enthusiastically greeted by Instagram users, who repeatedly complained about the impossibility of promptly returning to their accounts.