In today’s world, everything is on internet even our social life. Despite having advanced security measures by tech giants (such as Facebook, Google etc) hackers found a way to bypass those measures.
One such popular social media platform, has a flaw which helps hackers to hack any Instagram account without requiring any use interaction.
So, let’s discuss about it.
About the bug
The “password recovery” or “password reset” is a feature that helps the users to reset their account in case they forget the password.
The Instagram has a similar feature but user have to enter a six digit passcode (that is valid for 10 minutes) sent to their registered mobile number.
So the six digit passcode are from 000000 to 999999 that are 10lakh passcodes. but these passcodes are random.
So in theory one can try to enter 10lakh passcodes but the Instagram passcode has 10 minute validity i.e. the code will not work after the 10 minute..
Also, the Instagram blocks a computer or you can say that IP address, if a computer make more than 200 guesses.
How to hack
But a security researcher researcher Laxman Muthiyah has found a way.
According to him, he tried with 1 IP addresses( or you can say 1 computer) and got blocklisted after 200 attempt.
Then he tried with 1000 IP addresses (or 1000 computers) and was able to make 2,00,000 guesses.
From this, he understands he needed 5000 computers (5000 *200 =10,00,000).
How to get 5000 computers
Yeah this is the question, how to try the passcode the 5000 computers ?
Well this is easy than you may have thought.
You can get the 5000 IP addresses from the cloud accounts (cloud computing) from Amazon (AWS) , Microsoft (Azure) or from Google (GCP) from as low as 150$ or in about ₹10,500.
Video of the attack:
Instagram has patched this vulnerability and awarded Laxman $30,000 or ₹20.6 lakhs as bug Bounty.