An independent researcher earned a $30,000 bug bounty after discovering a weakness in the mobile recovery process.
A researcher earned a $30,000 bug bounty from Facebook after discovering a weakness in the Instagram mobile recovery process that would allow account takeover for any user, via mass brute-force campaigns.
Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes.
“Therefore, if we are able to try all the 1 million codes on the verify-code endpoint, we would be able to change the password of any account,” he explained in a Sunday posting.
Though trying 1 million codes in the 10 minutes before the one-time passcode expires may sound challenging, this kind of brute-forcing is possible with an automated script and a cloud service account, he said.
Original story reported by ThreatPost.com • Threatpost is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.