Skip to main content

INSTAGRAM 1 MILLION ACCOUNTS CAN BE HACKED WITHIN 10 MINUTES

Recently, a researcher ‘Laxman Muthiyah from Chennai has found a vulnerability which could allow the hack over of more than 1 million accounts within the minimum, 10 minutes. As stated by him in a blog post, when a user requests for the password reset then Instagram issues a unique randomly generated identifier to each device.

Then the device ID reaches all the devices, which further requests for passcode from them during the Password Reset ProcessInstagram using the same device ID verifies the users and all the devices.

Laxman while analyzing this Device ID feature and found out that it is possible to request passcodes for multiple accounts from a single device. It was possible to link a single device or the same Device ID to multiple passcodes for different accounts.

Thus, the probability or the chances of successfully hacking the accounts increase with the increasing number of passcodes requested on a specific device. He further explained in his blog post that for a six-digit passcode there can be one million probabilities that are the numbers could range from 000001 to 999999.

If we request, the passcodes from the same device for 10,000 users the probability of success is 10% but if the number of passcodes requested increases to one million the success rate turns out to be 100%.

Thus, greater the number of passcodes requested by a single device greater are the chances of it being taken over by the attacker. So, eventually, the success of the attack further increases to 100 % by incrementing the passcodes one by one.

As the Instagram passcode is valid only for 10 minutes the entire attack by the hacker takes place within that time limit. To proof his concept of exploitation he used more than a thousand of cloud machine instances.

His method bypasses the Brute Force attack detection technique which Instagram uses to prevent any sort of attacks by unauthorized actors. Previously, Muthiyah had found three Facebook vulnerabilities and had won bug bounty payouts for them.

Another vulnerability was discovered by Laxman last month which allows the attacker to hack any Instagram account by using multiple IPs. The severity of the flaw reported was very high even though it had a limiting factor that the passcode expires within 10 minutes. Facebook rewarded him with $30,000 of bug bounty.

The new flaw is relatively less vulnerable than the previous one reported by him. This time Facebook rewarded the Chennai techie with a bounty of $10,000, as a part of the Tech Giant’s Bug Bounty program.

The bug is now patched and the users are now safe from this vulnerability the photo and video sharing application was earlier open to.

ALSO READ

Comments

Post a Comment

Popular posts from this blog

How to find the password of hacked email addresses using OSINT

https://youtu.be/JAjVwf5NEOk Open-source intelligence or OSINT   is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy and correct tools. In this article, I will show you how a hacker can get passwords of thousands of email addresses without attacking the webserver or without using any other hacking technique; but, just using the power of OSINT. You can implement all the techniques discussed in this article manually; however, to enhance the operation and to maximize the result, we will utilize Maltego along with a web service called Have I been Pwned? Access the Hacked Passwords Systematically Blackhat hackers usually post and publish data after hacking a webserver; for example, they dumped Linkedin hacked accounts and others. Let’s just fetch all this valuable information smartly. Tools used in this article: theHarvester Maltego Have I been Pawned I have discussed the  configuration of Maltego with Have I been P...
Post a Comment
Read more

Hacking Simulator | Geek Prank Hacker Typer Online

Hacking Simulator Do you love the sight from a movie where a masked man sitting in a dark keep hitting the keys on the keyboard and eventually ends up hacking certain organizations’ databases? So, you also want to do that in real life but not sure about how you are going to get your hands-on hacking because Hacking is something that is seen as an illegal practice. So, the developers come up with the idea of “ Hacking Simulator ” that solves all the problems related to legitimacy while practicing hacking in real life. Hacking Simulator can be used by the people who are just practicing hacking for fun and by the  professional hackers  too for continuously practicing and upgrading their skills. Hacking Simulator Online Hack the box: HTB is an online platform for hackers across the globe to test their penetration testing knowledge and It provides the user with the platform as well as resources to test their hacking and penetration testing tools. It has over 276k+ users on its plat...
Post a Comment
Read more