Meet Mr. Laxman Muthiah, who received $30,000 from Facebook for finding a bug on Instagram. The 26-year-old Security Researcher from Chennai has received much applause after finding the vulnerability as a part of the bug bounty program.
The bug found by Muthiah allowed him to have access to any Instagram profile without the consent of the user. Through the password reset option provided by Instagram and requesting a recovery code. He realized that Instagram usually blocked users after 200 tries but it was only limited to one IP address. The payload written in PHP activated 1000 instances at once across different servers. These instances brute-forced their way in guessing the actual recovery code before the timeout which is 10 minutes.
Muthiah had reported the bug to the Facebook Security team but they were unable to reproduce it due to lack of information in his report. After sending a few emails and a video as a proof, he convinced them that the attack was attainable. After taking immediate action, the security team fixed the vulnerability.
Also Read : ISRO Chandrayaan – II Live
Paul Ducklin, Senior Technologist at cybersecurity major at Sophos warned users about the vulnerability. He said that users should familiarise themselves with the process of gaining back control of their hacked accounts.
Past Bug Bounty Achievements
Besides, this is not the first time Muthiah has found a bug. He has been participating in bug bounty programs since 2012 when he was in college. Even in 2015, he found two bugs on Facebook. He reported that one of the bugs allowed him to delete any public photo album of a user through an active token. The other bug tricked users into installing a forged mobile app that shuffled through all your facebook pictures and albums. Facebook rewarded him $10,000 and $5,000 for this data disclosure and data deletion bug.
Mr. Laxman has warned that aspiring techies should not perform vulnerability checks on websites without prior permission. He added that people should participate in bug bounty programs to know the true essence of pen-testing. To quote Muthiah, “To become a Security Researcher, you need to be a jack of all trades and keep yourself updated daily “.