Skip to main content

INSTAGRAM 1 MILLION ACCOUNTS CAN BE HACKED WITHIN 10 MINUTES

Recently, a researcher ‘Laxman Muthiyah from Chennai has found a vulnerability which could allow the hack over of more than 1 million accounts within the minimum, 10 minutes. As stated by him in a blog post, when a user requests for the password reset then Instagram issues a unique randomly generated identifier to each device.

Then the device ID reaches all the devices, which further requests for passcode from them during the Password Reset ProcessInstagram using the same device ID verifies the users and all the devices.

Laxman while analyzing this Device ID feature and found out that it is possible to request passcodes for multiple accounts from a single device. It was possible to link a single device or the same Device ID to multiple passcodes for different accounts.

Thus, the probability or the chances of successfully hacking the accounts increase with the increasing number of passcodes requested on a specific device. He further explained in his blog post that for a six-digit passcode there can be one million probabilities that are the numbers could range from 000001 to 999999.

If we request, the passcodes from the same device for 10,000 users the probability of success is 10% but if the number of passcodes requested increases to one million the success rate turns out to be 100%.

Thus, greater the number of passcodes requested by a single device greater are the chances of it being taken over by the attacker. So, eventually, the success of the attack further increases to 100 % by incrementing the passcodes one by one.

As the Instagram passcode is valid only for 10 minutes the entire attack by the hacker takes place within that time limit. To proof his concept of exploitation he used more than a thousand of cloud machine instances.

His method bypasses the Brute Force attack detection technique which Instagram uses to prevent any sort of attacks by unauthorized actors. Previously, Muthiyah had found three Facebook vulnerabilities and had won bug bounty payouts for them.

Another vulnerability was discovered by Laxman last month which allows the attacker to hack any Instagram account by using multiple IPs. The severity of the flaw reported was very high even though it had a limiting factor that the passcode expires within 10 minutes. Facebook rewarded him with $30,000 of bug bounty.

The new flaw is relatively less vulnerable than the previous one reported by him. This time Facebook rewarded the Chennai techie with a bounty of $10,000, as a part of the Tech Giant’s Bug Bounty program.

The bug is now patched and the users are now safe from this vulnerability the photo and video sharing application was earlier open to.

ALSO READ

Comments

Popular posts from this blog

OSINT tutorial to Find Information from a Phone Number – PhoneInfoga Tool

phone number plays a vital role in the social engineering and the open source intelligence investigation. Everyone carry’s phone, the  phone is now linked with an individual life and it has the most important information of a person. In the  OSINT investigation , we need to find-out the line type, carrier, location and other relevant information about the subject’s phone number. The number itself shows some information like country, city (landline pattern) and sometimes carrier; while the other information can be extracted by using the open platform available.   This tutorial is about PhoneInfoga, as the  official doc  says: “PHONEINFOGA IS ONE OF THE MOST ADVANCED TOOLS TO SCAN PHONE NUMBERS USING ONLY FREE RESOURCES. THE GOAL IS TO FIRST GATHER STANDARD INFORMATION SUCH AS COUNTRY, AREA, CARRIER AND LINE TYPE ON ANY INTERNATIONAL PHONE NUMBERS WITH A VERY GOOD ACCURACY. THEN SEARCH FOR FOOTPRINTS ON SEARCH ENGINES TO TRY TO FIND THE VOIP PROVIDER OR IDENTIFY THE OWNER.” As shown in t

Turn Windows 8 PC Into Wi-Fi HotSpot

In Windows 8, Microsoft  quietly removed  a useful networking feature: ad-hoc networks. In Windows 7 (and previous OSes), the tool could turn your PC into a Wi-Fi hot spot, allowing it to share its Ethernet or other Internet connection with other devices by broadcasting its own network. So, if you paid for Internet access at a cafe, or you're at work, and want to share your PC's Internet with your phone or tablet, this feature would let you do that. It is very possible to do this in Windows 8, but the built-in method requires fiddling with the command prompt. And for some of us, walking into that black abyss is daunting. Instead, check out  Virtual Router Plus . It's a free, open-source program that does the geek work for you, allowing you to quickly fire up an ad-hoc network whenever you need one. Once you've downloaded the file, extract it, and launch the VirtualRouterPlus file within that folder. There's no real installation here -- the program will simply launch

How to find the password of hacked email addresses using OSINT

https://youtu.be/JAjVwf5NEOk Open-source intelligence or OSINT   is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy and correct tools. In this article, I will show you how a hacker can get passwords of thousands of email addresses without attacking the webserver or without using any other hacking technique; but, just using the power of OSINT. You can implement all the techniques discussed in this article manually; however, to enhance the operation and to maximize the result, we will utilize Maltego along with a web service called Have I been Pwned? Access the Hacked Passwords Systematically Blackhat hackers usually post and publish data after hacking a webserver; for example, they dumped Linkedin hacked accounts and others. Let’s just fetch all this valuable information smartly. Tools used in this article: theHarvester Maltego Have I been Pawned I have discussed the  configuration of Maltego with Have I been Pawned bef