Skip to main content

INSTAGRAM 1 MILLION ACCOUNTS CAN BE HACKED WITHIN 10 MINUTES

Recently, a researcher ‘Laxman Muthiyah from Chennai has found a vulnerability which could allow the hack over of more than 1 million accounts within the minimum, 10 minutes. As stated by him in a blog post, when a user requests for the password reset then Instagram issues a unique randomly generated identifier to each device.

Then the device ID reaches all the devices, which further requests for passcode from them during the Password Reset ProcessInstagram using the same device ID verifies the users and all the devices.

Laxman while analyzing this Device ID feature and found out that it is possible to request passcodes for multiple accounts from a single device. It was possible to link a single device or the same Device ID to multiple passcodes for different accounts.

Thus, the probability or the chances of successfully hacking the accounts increase with the increasing number of passcodes requested on a specific device. He further explained in his blog post that for a six-digit passcode there can be one million probabilities that are the numbers could range from 000001 to 999999.

If we request, the passcodes from the same device for 10,000 users the probability of success is 10% but if the number of passcodes requested increases to one million the success rate turns out to be 100%.

Thus, greater the number of passcodes requested by a single device greater are the chances of it being taken over by the attacker. So, eventually, the success of the attack further increases to 100 % by incrementing the passcodes one by one.

As the Instagram passcode is valid only for 10 minutes the entire attack by the hacker takes place within that time limit. To proof his concept of exploitation he used more than a thousand of cloud machine instances.

His method bypasses the Brute Force attack detection technique which Instagram uses to prevent any sort of attacks by unauthorized actors. Previously, Muthiyah had found three Facebook vulnerabilities and had won bug bounty payouts for them.

Another vulnerability was discovered by Laxman last month which allows the attacker to hack any Instagram account by using multiple IPs. The severity of the flaw reported was very high even though it had a limiting factor that the passcode expires within 10 minutes. Facebook rewarded him with $30,000 of bug bounty.

The new flaw is relatively less vulnerable than the previous one reported by him. This time Facebook rewarded the Chennai techie with a bounty of $10,000, as a part of the Tech Giant’s Bug Bounty program.

The bug is now patched and the users are now safe from this vulnerability the photo and video sharing application was earlier open to.

ALSO READ

Comments

Post a Comment

Popular posts from this blog

Hacking Simulator | Geek Prank Hacker Typer Online

Hacking Simulator Do you love the sight from a movie where a masked man sitting in a dark keep hitting the keys on the keyboard and eventually ends up hacking certain organizations’ databases? So, you also want to do that in real life but not sure about how you are going to get your hands-on hacking because Hacking is something that is seen as an illegal practice. So, the developers come up with the idea of “ Hacking Simulator ” that solves all the problems related to legitimacy while practicing hacking in real life. Hacking Simulator can be used by the people who are just practicing hacking for fun and by the  professional hackers  too for continuously practicing and upgrading their skills. Hacking Simulator Online Hack the box: HTB is an online platform for hackers across the globe to test their penetration testing knowledge and It provides the user with the platform as well as resources to test their hacking and penetration testing tools. It has over 276k+ users on its plat...
Post a Comment
Read more

What Is Vishing Attack? How To Prevent Vishing? Brief Guide

Vishing Hello Guys! Today we are going to learn about a very interesting term that is  vishing  that is also known as ‘ Phishing over Voice Call ‘. There are both pros and cons of the digital era we are living in. Peoples are using this technology which indicates their second identity. So, it’s very important to stay safe there also.  We  Hacking Blogs  are here to help you with the black hat hackers. We want our readers to stay safe online. We have discussed the  Phishing Attacks ,  Smishing Attacks , How hackers are able to hack your Instagram Account and many more. You can find interesting posts by  clicking here . But today we want to introduce with a very common attack that is Vishing. This is a very common attack almost everyone knows about this. What Is Vishing Attack? Vishing is made up of two words “ Voice Call ” and “ Phishing “. This is completely a Social Engineering attack. In this, Black Hat Attacker calls to the victim’s device and ...
Post a Comment
Read more

OSINT tutorial to Find Information from a Phone Number – PhoneInfoga Tool

phone number plays a vital role in the social engineering and the open source intelligence investigation. Everyone carry’s phone, the  phone is now linked with an individual life and it has the most important information of a person. In the  OSINT investigation , we need to find-out the line type, carrier, location and other relevant information about the subject’s phone number. The number itself shows some information like country, city (landline pattern) and sometimes carrier; while the other information can be extracted by using the open platform available.   This tutorial is about PhoneInfoga, as the  official doc  says: “PHONEINFOGA IS ONE OF THE MOST ADVANCED TOOLS TO SCAN PHONE NUMBERS USING ONLY FREE RESOURCES. THE GOAL IS TO FIRST GATHER STANDARD INFORMATION SUCH AS COUNTRY, AREA, CARRIER AND LINE TYPE ON ANY INTERNATIONAL PHONE NUMBERS WITH A VERY GOOD ACCURACY. THEN SEARCH FOR FOOTPRINTS ON SEARCH ENGINES TO TRY TO FIND THE VOIP PR...
Post a Comment
Read more