Instagram has awarded an Indian techie $30,000 (approx Rs 20,64,500) for finding a bug in the mobile recovery flow of the Facebook-owned photo and video sharing app. Chennai-based security researcher Laxman Muthiyah said that Facebook and Instagram security teams have fixed the issue and rewarded him as a part of their bounty programme. “I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few emails and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post.
Here’s how he found the bug:
In a nutshell, the hacking was done in three simple steps:
Triggering a password reset. Requesting a recovery code. Quickly trying out every possible recovery code against the account.While looking for an account takeover vulnerability, the techie turned his attention to the Instagram forgot password endpoint. This is a process that helps users recover their account password if they have, by chance, forgotten it. Muthiyah first tried to compromise an account through Instagram web, however, due to the strong link-based password reset mechanism, he failed. He then turned his attention towards the mobile recovery flow where he found a susceptible behaviour.
“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password for any account,” he said. Muthiyah’s tests show rate limiting, a mechanism put in place to control the amount of incoming and outgoing traffic to or from a network.
He claims that he sent thousands of requests to check whether Instagram’s systems are validating and rate limiting the requests properly. He found he was able to send requests continuously without getting blocked. In order to be able to change the password, he needed the code (which was sent to the account user’s registered mobile number). So there was only one, hit-and-trial, method that could have provided him with success.
“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realised that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack,” he explained.
For a single person, it’s very difficult to send so many requests from different IPs in a short span of time, but according to Paul Ducklin, Senior Technologist at Sophos, cyber crooks with one or more botnets at their disposal could probably activate 5000 simultaneous connections from 5000 different IP numbers all over the world at a moment’s notice.
Ducklin says that although Instagram has plugged the flaw to save accounts from this attack if a user receives an account recovery code or a password reset message that you didn’t request, report it. It means that someone other than the user is probably trying to take over the account, hoping that the user won’t notice until after they’ve had a crack at getting in.
This is not the first time that Muthiyah has found a flaw in a Facebook app. In the past, he uncovered a data deletion flaw and a data disclosure bug on Facebook. The first bug meant he could have zapped all photos without knowing a user’s password. The second meant that he could have tricked a user into installing an innocent-looking mobile app that could riffle through all user’s Facebook pictures without being given access to your account.
from Latest Technology News https://ift.tt/30KQrJd
No comments:
Post a Comment