Researcher Exploits Instagram’s Account Recovery 2FA to Access Any Account

A security researcher managed to brute force Instagram's 2FA login and password reset system via the use of 1000 PCs to bypass its rate-limiting. The issue has since been fixed.

Instagram login screen
Source: Perzonseo Webbyra | CC BY 2.0 | Cropped & Resized

A researcher has earned $30,000 from 's bug bounty program after successfully exploiting the company's two-factor authentication process. By utilizing the mobile recovery process, Laxman Muthiyah was able to show how to log in to any account.

In a post titled How I could Have Hacked Any Instagram Account, Muthiyah explains that while uses a link on the web, the mobile recovery process is less secure. Users are instead sent a text with a six-digit passcode, which logs them in when received.

Six numbers mean a million different combinations, which would be impossible to do manually, but isn't too difficult with automation and the right tools. 's 2FA stopped a single IP address from trying more combinations after 250.

By using 1000 IP addresses at once, Muthiyah was able to successfully show how to crack the system before the time out of 10 minutes. He was able to send 200 requests from each IP for a total of 1000 machines for 200,000 requests.

A determined attacker could, therefore, scale this to 5000 machines to try all 1 million combinations. To do so, they could use a provider like Amazon or , at a total cost of around $150.

Naturally, that's more than most would be willing to pay for Instagram account . However, when you consider some of the important users on the platform, it's not that much. An attacker could have compromised the account of Donald Trump, , or the Bank of America to push scam links to users.

Thankfully, Muthiyah disclosed the information to , who fixed the issue quickly after some additional information. In 2015, Laxman also found flaws in Facebook that let him delete any photo and view any private picture.