August, 23, 2019
As you would be aware, Laxman Muthiyah is the famous bug-hunter who uncovered not only a data deletion flaw but also a data disclosure bug on Facebook. The first bug meant he could have zapped all your photos without knowing your password. The second meant that he could have tricked you into installing an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account. To be clear: he found those holes in compliance with Facebook’s Bug Bounty program, and he disclosed them responsibly to Facebook.
Now, he is back, this time for a flaw in Instagram’s platform rather than its eponymous Facebook network. Very simply put, what Laxman discovered is that it was possible not only in theory but also in real life to take over someone’s Instagram account by:
Laxman estimated that setting up that sort of attack from a bunch of cloud accounts on Amazon or Google would cost about $150, so although you couldn’t easily hack everyone’s account with this trick, you could reliably and fairly cheaply hack someone’s account.
Also, don’t forget that cybercrooks with one or more botnets at their disposal – a botnet is a “network army” of malware-infected computers that can be instructed to kick off identical commands in unison – could probably activate 5000 simultaneous connections from 5000 different IP numbers all over the world at a moment’s notice.
Based on this, we have come up with some simple tips for Instagram users to protect their accounts.
(The writer is the Paul Senior Technologist at Sophos)