Instagram Vulnerability Allows Hackers to Take Over Accounts

Security researcher Laxman Muthiyah has discovered a new vulnerability in the Instagram photo and video sharing app that allows attackers to take control of other users’ accounts. In July of this year, Muthiyah reported a similar issue that made it possible to hack any account in just 10 minutes. Exploiting the vulnerability allowed attackers to reset the password for any Instagram account and gain full control over it. For reporting this bug, the researcher received a $30,000 reward as part of Instagram’s bug bounty program.

As with the previous case, the new vulnerability also allows any Instagram account to be hacked. Muthiyah found that the same device identifier (a unique ID used by Instagram’s servers to verify password reset codes) could be used to request multiple codes for different users, making it possible to compromise accounts on the platform.

“There are 1 million possible six-digit passwords (from 000001 to 999999). When requesting passwords for multiple users, the chance of successfully hacking accounts increases. For example, if you request passwords for 100,000 users using the same device identifier, the probability of success is 10%. If we request passwords for 1 million users, we could easily hack 1 million accounts,” Muthiyah explained.

The researcher reported his findings to the Instagram and Facebook security teams. This time, he received a $10,000 reward for disclosing the vulnerability.