Instagram has recently addressed a critical flaw that could have allowed hackers to take over any Instagram account without any user interaction.

Instagram has recently addressed a critical vulnerability that could have allowed attackers to completely take over any account without user interaction.

The news was first reported by TheHackerNews, the issue was reported to the Facebook-owned photo-sharing service by the Indian security expert Laxman Muthiyah.

According to Muthiyah, the flaw affects the “password reset” mechanism implemented by Instagram for the mobile version of the service. When Instagram users request to recover their passwords, they have to confirm a six-digit secret passcode (that expires after 10 minutes) that is sent to their associated mobile number or email account. This means that to change the passwords in the work case the attackers need to try one million of possible combinations.

The expert focused its test on the maximum number of requests allowed and discovered the absence of blacklisting. He was able to send requests continuously without getting blocked even when he reached the maximum number of requests he can send in a fraction of time.

“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account.” reads the analysis of the expert. “But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it.” “Two things that struck mind was the number of requests and the absence of blacklisting.”

Finally, he discovered two things that allowed him to bypass their rate limiting mechanism, a race condition and the IP rotation.

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited.” explained the expert. “The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. “

Summarizing the rate limiting can be bypassed by carrying out a brute force attack from different IP addresses and leveraging race condition, sending concurrent requests.

The expert also published a video PoC of the attack that shows the exploitation of the flaw while hacking an Instagram account using 200,000 different passcode combinations without being blocked.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.” added the expert.

Laxman Muthiyah received by the company a $30,000 reward as part of its bug bounty program.

Pierluigi Paganini