Indian Techie finds a bug in Instagram that let him hack any account

Recently Laxman Muthiyah, an Indian security researcher, found a bug in the Instagram app, which let him hack into any account on Instagram. He reported the bug to Instagram, Instagram awarded him with $30,000 as part of a bug bounty programme.

Muthiyah told that the vulnerability allowed him to "hack any Instagram account without consent permission."

He explained the hack was as simple as initiating a password reset, requesting for a recovery code, or quickly trying out possible recovery codes against the account.

Laxman Muthiyah wrote in a blog post, "Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn't find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour."

He further shared, "I reported the vulnerability to the Facebook security team, and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible."

Instagram's team has later fixed the bug.

Muthiyah also spotted the data deletion snag and a data disclosure bug for Facebook. The first bug had the potential to corrupt all your photos without knowing your password. While the second could trick you into installing an innocent-looking mobile app, which could sneak into all your photos without even granting access to your account.