Good guy hacker Laxman Muthiyah likes to use his talents to find online vulnerabilities so they can be fixed by the vendor before bad guy hackers can exploit them. There’s usually a bounty for finding such flaws and Facebook is becoming a sweet earner for the Indian security researcher.
He has already uncovered four security vulnerabilities from the social networking giant, and has now announced a fifth.
Muthiyah’s latest discovery uncovered a flaw in the way Instagram handled the validation of password reset codes. A defect that meant an attacker could request one million password reset codes within a ten-minute window, with 100 percent success.
Why steal Instagram account passwords when you can use the system password reset process instead?
Just last month, Muthiyah announced that he found an Instagram vulnerability that allowed him to hack any Instagram account without consent permission.
Then, Facebook (who own Instagram) gave Muthiyah $30,000 for the disclosure and the vulnerability was swiftly fixed. He had already found and disclosed three previous Facebook vulnerabilities worthy of bug bounty payouts too.
Muthiyah spotted a data deletion snag and a data disclosure bug for Facebook. The first bug had the potential to corrupt all your photos without knowing your password, while the second could trick you to install an innocent-looking mobile app, which could sneak into all your photos without even granting the access to your account.
Hacking the Facebook companies has been a sweet earner for Muthiyah so why should he stop at four hacks? He, like a lot of more sinister hackers, knew there was still mileage in the password endpoint for Instagram account takeover vulnerabilities. This time, the hacker got paid $10,000 for his contribution to making Instagram safer.
The latest vulnerability he found is similar to the previous one but also less severe said Muthiyah. He turned his attention to the device ID used by Instagram as a unique identifier to validate the password reset codes. “When a user requests a passcode using his/her mobile device,” Muthiyah explained, “a device ID is sent along with the request. The same device ID is used again to verify the passcode.”