Home Other Tech Apps Indian Techie discovered a vulnerability on Instagram and won Rs 7.2 lakhs.

Indian Techie discovered a vulnerability on Instagram and won Rs 7.2 lakhs.

Laxman Muthiyah also won Rs 21.6 lakhs for finding a flaw in Instagram last month

Last month India techie Laxman Muthiyah won $30,000 (approximately Rs. 21.6 lakhs) from the Facebook for spotting a vulnerability in Instagram and now again he has won $10,000 (approximately Rs. 7.2 lakhs) from the social media giant. This time he spotted an account takeover vulnerability on the Instagram that allows anyone to hack Instagram accounts without consent permission. However, both Instagram and Facebook team have fixed the issue and in return awarded the Chennai-based security researcher $10,000 as a part of their bounty program.

Security researcher Laxman Muthiyah shared this news through his blog post that says “Facebook and Instagram security team fixed the issue and rewarded me $10,000 as a part of their bounty program.”

- Advertisement -

According to him, the device ID is the unique identifier used by the Instagram server to authenticate password reset codes. When a user requests a passcode using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the passcode.

He further explained that device ID is a random string that is generated by the Instagram app. The same ID can be used to request multiple passcodes of different users. When the 6 digits passcodes are requested of several users this increases the possibility of hacking the accounts.

“For example, if you request a passcode of 100 thousand users using the same device ID, you can have a 10 percent success rate since 100k codes are issued to the same device ID.  If we request passcodes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the passcode one by one.”

So in order to hack the account, the hacker needs to request codes of 1 million users. Moreover, the expiry of the passcodes is 10 minutes so the entire attack should happen within 10 minutes.

He further informed that the account takeover vulnerability has been fixed by the Facebook security team and no one can hack the Instagram accounts using this vulnerability.

After this Facebook thanked Muthiyah and awarded him $10,000. In its letter Facebook said “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nuances to then attempt recovery. Thank you again for this report”

For the latest gadget and tech news, and gadget reviews, follow us on TwitterFacebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.

- Advertisement -
Komila Singhhttps://www.gadgetbridge.com
Komila is a one of the most spirited tech writers at Gadget Bridge. Always up for a new challenge, she is an expert at dissecting technology and getting to its core. She loves to tinker with new mobile phones, tablets and headphones.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Follow Us

128,016FansLike
9,364FollowersFollow
4,944FollowersFollow
5,100SubscribersSubscribe

Must Read

Skullcandy is hosting Republic Day Sale, offering up to 60 percent discount on its audio products

Skullcandy is hosting Republic Day Sale, offering up to 60 percent...

0
All the electronics brands and e-commerce websites have announced their respective sale on the occasion of Republic Day. Now Skullcandy has also announced its...
- Advertisement -