Critical vulnerability in Instagram can allow hackers to take complete control of anyone’s account

• The vulnerability resided in the ‘password recovery’ feature of the mobile version of Instagram.
• The flaw could allow remote attackers to reset the passwords for any Instagram account and take complete control of it.

Facebook-owned photo and video-sharing social networking service, Instagram was found vulnerable to attackers recently. The flaw could allow remote attackers to reset the passwords for any Instagram account and take complete control of it.

What’s the matter?

Discovered and reported by an Indian bug bounty hunter Laxman Muthiyah, the vulnerability resided in the ‘password recovery’ feature of the mobile version of Instagram.

The ‘password reset’ or ‘password recovery’ is a feature that enables users to regain access to their accounts in case they forget their password. Recovering an Instagram account on mobile requires a user to provide a six-digit passcode to prove his/her identity. The passcode is sent to the associated mobile number or email account.

Muthiyah noted that this passcode is one out of a million combinations which could let attackers unlock any Instagram account using brute force attack. Although Instagram’s rate-limiting characteristic could prevent such attacks, Muthiyah further found that this rate-limiting could be bypassed by sending brute force requests from different IP addresses and leveraging race condition. This allowed the attackers to send concurrent requests to process multiple attempts simultaneously.

“My tests did show the presence of rate limiting. I sent around 1000 requests, 250 of them went through and the rest 750 requests were rate limited. Tried another 1000, now many of them got rate limited. So their systems are validating and rate limiting the requests properly,” said Muthiyah in a blog post.

What caused the bypass of the rate-limiting mechanism?

During the investigation, it was found that there were two things that allowed the bypass of the rate-limiting mechanism:

• Race Hazard;
• IP rotation.

"Race hazard (concurrent requests) and IP rotation allowed me to bypass it. Otherwise, it wouldn't be possible. 10 minutes expiry time is the key to their rate limiting mechanism, that's why they didn't enforce permanent blocking of codes," Laxman told The Hacker News.

What action has been taken?

Muthiyah has released a proof-of-concept for the vulnerability, which has now been patched. Meanwhile, users are advised to enable ‘two-factor authentication’ which could prevent hackers from accessing their accounts even if they manage to steal the passwords.