Instagram Vulnerability Patched after reported by an Indian Bug Bounty Hunter

Instagram, owned by Facebook, was recently found to be vulnerable to remote attacks which could even make the attackers to reset the passwords for any Instagram account and take complete control of it.

The flaw was found and reported by Laxman Muthiyah, an Indian bug bounty hunter. He pointed out that ‘password recovery’ feature of the mobile version of Instagram was having the flaw.

The ‘password reset’ or ‘password recovery’ is a feature that enables users to regain access to their accounts in case they forget their password. Recovering an Instagram account on mobile requires a user to provide a six-digit passcode to prove his/her identity. The passcode is sent to the associated mobile number or email account.

In a blog post, Muthaiya said that “My tests did show the presence of rate limiting. I sent around 1000 requests, 250 of them went through and the rest 750 requests were rate limited. Tried another 1000, now many of them got rate limited. So their systems are validating and rate limiting the requests properly.”

What caused the bypass of the rate-limiting mechanism? On further investigation, Race Hazard and IP rotation were said to be the reason for the bypassing of rate-limiting mechanism.

In order to address the vulnerability, Muthiyah has released a proof-of-concept, which has now been patched. Meanwhile, users are advised to enable ‘two-factor authentication’ which could prevent hackers from accessing their accounts even if they manage to steal the passwords