Laxman Muthiyah, a Chennai based cybersecurity researcher has won $10,000 from Instagram after spotting and reporting a new ‘account-takeover vulnerability’ in the app. Interestingly, he won this within a month of winning $30,000 from Facebook after he had spotted and reported a security flaw in Instagram.
Muthiyah claims that the new vulnerability which he detected is similar to the one he had detected on Instagram, back in July. The security flaw allowed hackers to access Instagram accounts without the consent of the user.
In addition, Muthiyah elaborated that the flaw arose because Instagram was not using any unique device identity to validate password reset codes requested by users. He found that the unique identifier that is being used by the Instagram server to validate password reset codes can be used or rather misused to request multiple passcodes of different users.
Laxman Muthiyah demonstrated conceptual proof explaining how a random Instagram account can be hacked by hackers.
In a letter to Muthiyah, Facebook said: “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery.”
After checking and validating Muthiyah’s arguments, Facebook fixed the security flaw and awarded Muthiyah a sum of $30,000.
Muthiyah wrote in his blog post “I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible.”
Yesterday, Muthiyah said that he had discovered a new account takeover way and shared it with the tech giant which won him a sum of $10,000 as part of Instagram’s bug bounty programme.
Muthiyah wrote that “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme.”
Share your thoughts in the comment section below!