Instagram bug could have allowed anyone to take over your account – By Paul Ducklin

August, 23, 2019

As you would be aware, Laxman Muthiyah is the famous bug-hunter who uncovered not only a data deletion flaw but also a data disclosure bug on Facebook. The first bug meant he could have zapped all your photos without knowing your password. The second meant that he could have tricked you into installing an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account. To be clear: he found those holes in compliance with Facebook’s Bug Bounty program, and he disclosed them responsibly to Facebook.

 

Now, he is back, this time for a flaw in Instagram’s platform rather than its eponymous Facebook network. Very simply put, what Laxman discovered is that it was possible not only in theory but also in real life to take over someone’s Instagram account by:

  1. Triggering a password reset.
  2. Requesting a recovery code.
  3. Quickly trying out every possible recovery code against the account.

 

Laxman estimated that setting up that sort of attack from a bunch of cloud accounts on Amazon or Google would cost about $150, so although you couldn’t easily hack everyone’s account with this trick, you could reliably and fairly cheaply hack someone’s account.

 

Also, don’t forget that cybercrooks with one or more botnets at their disposal – a botnet is a “network army” of malware-infected computers that can be instructed to kick off identical commands in unison – could probably activate 5000 simultaneous connections from 5000 different IP numbers all over the world at a moment’s notice.

 

Based on this, we have come up with some simple tips for Instagram users to protect their accounts.

 

  • To protect your Instagram account from this attack, you don’t need to to do anything. Facebook altered Instagram’s server-side defensive mechanism unilaterally, so this attack no longer works.
  • If you receive an account recovery code or a password reset message that you didn’t request, report it. It means that someone other than you is probably trying to take over the account, hoping you won’t notice until after they’ve had a crack at getting in.
  • In case any of your accounts do get taken over, familiarise yourself now with the process you’d follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards.
  • If you are programming a rate-limiting security system of your own, actively protect the victim as well as slowing down any attackers.In this case, limiting the scale of each individual attack is a good thing to do, but you also need a direct defence for the account that’s being attacked.

(The writer is the Paul Senior Technologist at Sophos)