At the beginning of this summer, an independent researcher from India, Laxman Muthiyah, explained how he earned $ 30,000 in bug bounty by discovering a dangerous vulnerability in the password recovery mechanism on Instagram.Although Facebook developers have strengthened their protection since that time, the expert has found another way to compromise the password recovery system.
The problem was again related to the fact that during the password reset procedure from Instagram, users should receive a six-digit secret code (the validity of which is only 10 minutes). This code is sent to the corresponding mobile phone number or email address.
Of course, Instagram developers took care of the brute force protection of these codes.
However, Mutiyah discovered that during the password reset request Instagram generates an identifier for each device, and that device is included in the request itself. This identifier is used to verify the validity of the six-digit code.
“When a user requests a pass code using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the pass code”, — explained Laxman Muthiyah.
As it turned out, the same ID can be used to request codes for multiple accounts. This means that by creating a sufficient number of requests, the attacker can ultimately get the correct six-digit codes to reset the password.
“There are a million probabilities for a six-digit code (from 000001 to 999999). By requesting passwords for multiple users, we increase the likelihood of hacking accounts. For example, if you request a verification code for 100,000 users using the same ID, you can achieve 10 percent success, because 100,000 codes will be issued for one identifier”, – the researcher explains.
Laxman Muthiyah notes that by requesting a million codes, you can easily crack a million accounts, so the attack will be 100% successful, the main thing is to fit the allocated 10 minutes.