A security researcher has earned $30,000 from Facebook’s bug bounty program after successfully exploiting the company’s two-factor authentication process. By utilizing the mobile recovery process, Laxman Muthiyah was able to show how to log in to any account.
In a post titled How I could Have Hacked Any Instagram Account, Muthiyah explains that while Instagram uses a link on the web, the mobile recovery process is less secure. Users are instead sent a text with a six-digit passcode, which logs them in when received.
Six numbers mean a million different combinations, which would be impossible to do manually, but isn’t too difficult with automation and the right tools. Instagram’s 2FA stopped a single IP address from trying more combinations after 250.
By using 1000 IP addresses at once, Muthiyah was able to successfully show how to crack the system before the time out of 10 minutes. He was able to send 200 requests from each IP for a total of 1000 machines for 200,000 requests.
A determined attacker could, therefore, scale this to 5000 machines to try all 1 million combinations. To do so, they could use a cloud provider like Amazon or Google, at a total cost of around $150.
Naturally, that’s more than most would be willing to pay for Instagram account access. However, when you consider some of the important users on the platform, it’s not that much. An attacker could have compromised the account of Donald Trump, Elon Musk, or the Bank of America to push scam links to users.
Thankfully, Muthiyah disclosed the information to Facebook, who fixed the issue quickly after some additional information. In 2015, Laxman also found flaws in Facebook that let him delete any photo and view any private picture.