A Chennai-based security researcher just saved us from getting our Instagram accounts hacked. Wondering how?
Laxman Muthiyah spotted a flaw in the Facebook-owned photo-sharing app that allowed him to “hack any Instagram account without consent permission” and won $30,000 (over Rs 20 lakh) as a part of Facebook’s bug bounty program.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few emails and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post.
How your Instagram could have been hacked?
With the loophole Muthiyah discovered, it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
Acknowledging the issue Paul Ducklin, Senior Technologist at cyber security major Sophos, said, “To be clear: he found those holes in compliance with Facebook’s Bug Bounty Programme, and he disclosed them responsibly to Facebook. As a result, Facebook was able to fix the problems before the bugs became public, and (as far as anyone knows) these bugs were patched before anyone else found them,” he remarked.
This is not the first time that Laxman has discovered a bug. Laxman identified not only a data deletion flaw but also a data disclosure bug on Facebook. The first bug could have zapped all your photos without knowing your password; the second meant tricking you to install an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account.
What is a bug bounty programme?
As a part of their bug bounty programme, Facebook rewards people who find and report issues with their security controls.
Earlier this year, 22-year-old Zonel Sougaijam from Manipur had also discovered a bug with WhatsApp where “during a voice call through WhatsApp, the bug allows the receiver to turn into a video call without the authorisation and knowledge of the individual making the voice call thereby violating his privacy,” Zonel said. Facebook had recognized his discovery and awarded him $5000 (approximately Rs 3.4 lakh).