Barely a month after winning $30,000 (roughly Rs. 21.6 lakhs) from Facebook for spotting a flaw in Instagram, Chennai-based security researcher Laxman Muthiyah on Monday said he again discovered a new account takeover vulnerability on the photo and video-sharing app. This time he has won $10,000 (roughly Rs. 7.2 lakhs) as part of the social network’s bug bounty programme. The new vulnerability that Muthiyah spotted was similar to the one he reported in July and allowed anyone to hack Instagram accounts without consent permission.
Facebook has now fixed the vulnerability that Muthiyah reported.
“Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme,” Muthiyah said in a blog post.
Muthiyah found that the same device ID – the unique identifier used by Instagram server to validate password reset codes – can be used to request multiple passcodes of different users.
He showed that this vulnerability can be exploited to hack Instagram accounts.
“You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery,” Facebook said in a letter to Muthiyah.
Last month, Muthiyah discovered it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post.