An independent researcher has found a security loophole in Instagram’s mobile password recovery flow that could have allowed attackers to break into user accounts.
The flaw, discovered and reported by India-based researcher Laxman Muthiyah, has since been fixed by Instagram’s owner, Facebook. The researcher, meanwhile, received a bug bounty payout of US$30,000 for his work.
Muthiyah, who has a history of spotting bugs in Facebook, said that his latest bug-hunting effort was prompted by Facebook’s recent decision to increase payouts for vulnerabilities that can lead to account takeovers. Instagram’s web interface with a link-based password reset is not susceptible to the vulnerability.
As described in this posting and demonstrated in this proof-of-concept video, the security hole had to do with how the photo-sharing service enabled users to regain access to their accounts in case they’d forgotten their passwords.
As part of the password recovery process, you receive a six-digit code to your recovery phone number that you’re asked to enter into the app as a way of validating your identity. The code expires after 10 minutes and Instagram has additional safeguards in place in order to foil brute-force attacks at the code, where ne’er-do-wells would try to ram their way in by trying out all possible combinations in a bid to arrive at the correct one. With six digits from 0-9, there would be no more than a million possibilities to try.
Still, Muthiyah demonstrated that the process could be subverted.
Hazarding a guess
The good thing is that the photo-sharing service puts a cap on the number of attempts that can be made from a particular IP address within the 10-minute window. As a result, Muthiyah initially found that only 250 out of 1,000 requests he’d sent eventually went through while the rest ended up rate-limited, or effectively denied.
However, he realized that he “was able to send requests continuously without getting blocked”, even though the number of requests sent within a time span was indeed restricted.
“After a few days of continuous testing, I found two things that allowed me to bypass their rate limiting mechanism,” he said. The two things were a race hazard and an IP rotation. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited,” he said.
Long story short, Muthiyah co-opted 1,000 IP addresses from cloud-based services for the task and tried out 200,000 code combinations against a test account.
“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” he wrote. Generally speaking, brute-force techniques are also associated with botnets.
In conclusion, on top of using a strong and unique password to access (not only) your Instagram account, it’s always best to rely also on an extra authentication factor, and the platform recently expanded its two-factor authentication options. Last month, the site also announced the testing of a new in-app process for users to regain access to accounts that have been overtaken by cybercriminals.