Security researcher Laxman Muthiyah discovered a vulnerability in Instagram that could take control of someone else’s account.
Mutia found out that the same device identifier (a unique identifier used by Instagram servers to check password reset codes) can be used to request several codes of different users, as a result of which it is possible to crack accounts in the service.
“There are 1 million probabilities of a six-digit password (from 000001 to 999999). When requesting passwords for multiple users, the possibility of hacking accounts increases. For example, if you request passwords of 100 thousand users using the same device identifier, the success rate will be 10%. If we request passwords for 1 million users, we can easily crack 1 million accounts, ”Mutia explained.
The researcher reported his find to the security teams Instagram and Facebook. For information on vulnerability, the researcher received a reward of $ 10 thousand.
As it became known last week, Facebook has expanded the program to pay rewards for detecting cases of abuse of user data on Instagram. On the social network itself, the Data Abuse Bounty Program was launched in April 2018 – after the scandal with Cambridge Analytica.