A researcher earned a $30,000 bug bounty from Facebook after discovering a weakness in the Instagram mobile recovery process that would allow account takeover for any user, via mass brute-force campaigns.

Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes.

“Therefore, if we are able to try all the 1 million codes on the verify-code endpoint, we would be able to change the password of any account,” he explained in a Sunday posting.

Though trying 1 million codes in the 10 minutes before the one-time passcode expires may sound challenging, this kind of brute-forcing is possible with an automated script and a cloud service account, he said.

“In a real attack scenario, the attacker needs 5,000 IP [addresses] to hack an account,” he said. “It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”

The recovery mechanism does have a rate-limiting protection – i.e., the number of log-in attempts within a set amount of time from any one IP address is restricted. In Muthiyah’s first attempt, he sent around 1,000 requests, but only 250 of them went through. However, he also discovered that Instagram doesn’t blacklist IP addresses that have exceeded the number of allowed attempts for a certain time period, so he could toggle between IP addresses in order to perform a continuous attack.

Also, he was able to confuse the rate-limiting mechanism by sending concurrent requests, resulting in a race condition or hazard, to double the number of attempts that would go through.

“I found two things that allowed me to bypass their rate-limiting mechanism: Race hazard and IP rotation,” he said. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of requests and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need thousands of IPs to perform the attack.”

With the aforementioned $150 cloud set-up, he was able to demonstrate this exact scenario, he noted, putting together a proof-of-concept video that he submitted to the Facebook security team. They verified the issue and congratulated him, paying out a $30,000 bounty in the process.

“The Facebook security team was convinced after providing the above video of sending 200K valid requests,” Muthiyah said. “They were also quick in addressing and fixing the issue.”

Is 2FA Broken?

Most 2FA schemes that use mobile text verification involve six-digit, one-time passcodes that expire within a few minutes, which brings up the question of how many services are vulnerable to the same kind of attack.

It should be noted that there have been other bypasses of SMS-based 2FA as well, including the use of a penetration testing tool called Modlishka, unveiled in January, and an APT attack late last year called the Return of Charming Kitten. The latter campaign used a fake but convincing phishing page to ask users to enter their credentials, which the attackers then entered into the real log-in page in real time. If the accounts are protected by 2FA, the attackers redirected targets to a new page where victims can enter the one-time password; the attackers can then take that and enter it into the real page to gain access to the account.

Earlier in December, an Android Trojan was uncovered that steals money from PayPal accounts even with 2FA on. Posing as a battery optimization tool, it asks for excessive accessibility permissions, which allow it to observe activity on other apps. Then it lurks on the phone and waits for someone to open PayPal and log in. Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s 2FA.

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More