Instagram Hacker Confirms 1 Million Account Takeover Attack

Laxman Muthiyah describes himself as a web developer, security researcher and sometimes a hacker in his Twitter profile. I think he does himself a disservice as a quick glance at his "Zero Hack" blog reveals he is a very talented, and pretty prolific, hacker. Luckily he's also one of the good guys and uses his talents to find vulnerabilities that can then be fixed by the vendor before the threat actors can exploit them. His latest discovery was a flaw in the way that Instagram handled the validation of password reset codes. A defect that meant an attacker could request 1 million password reset codes within a ten-minute window and with 100% success.

The Instagram hack background

Why use the “Nasty List” to steal Instagram account passwords when you can just use the system password reset process instead?  

Back in July, Muthiyah revealed he found an Instagram vulnerability that allowed him to "hack any Instagram account without consent permission." The Facebook security team, Facebook acquired Instagram for $1 billion (£820 million) on April 9, 2012, thought this was a serious enough problem that it awarded Muthiyah a $30,000 (£24,500) bounty for the disclosure. The vulnerability was quickly addressed and fixed. You can read more about it in this Forbes report from Lee Mathews, but the tl;dr is that it involved the Instagram use of six-digit password reset request validation codes.

Muthiyah found a method to bypass the brute-force attack detection that Instagram employed to prevent threat actors from being able to crack the code by leveraging easy to access levels of computing power. He had already found and disclosed three previous Facebook vulnerabilities worthy of bug bounty payouts. Muthiyah wasn't going to stop at just four though; he realized that there was still mileage in the password endpoint for account takeover vulnerabilities.

What's the latest Instagram account takeover hack methodology?

Admitting that the latest vulnerability he found is both similar to the previous one but also less severe, Muthiyah turned his attention to the device ID used by Instagram as a unique identifier to validate the password reset codes. "When a user requests a passcode using his/her mobile device," Muthiyah explained, "a device ID is sent along with the request. The same device ID is used again to verify the passcode."

The hacking brain is always probing and always exploring "what if" scenarios. So it was that Muthiyah wondered what if the same device ID could be used to request password reset codes of multiple accounts? It didn't take long for him to confirm that this was, indeed, the case.

After this, it was just a matter of applying the math. With one million probabilities for the six-digit codes that Instagram uses, requesting codes for 100,000 users from the same device ID returns a 10% success rate. However, by requesting one million user codes the account hacking success rate becomes 100% by simply "incrementing the passcode one by one."

There is a disclaimer within all of this though, and that's where the 10 minutes I mentioned earlier comes in. Instagram password reset codes are time-limited to 10 minutes after the request before they expire. Muthiyah confirmed that "the entire attack should happen within 10 minutes." This is not as problematical as it might sound, as proven previously when he applied thousands of cloud machine instances to create his proof of concept exploit.

The Instagram response

The Facebook security team reacted quickly to confirm the vulnerability, which has now been fixed. In a bounty program response to Muthiyah dated August 19, Facebook said that the hacker had "identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to then attempt recovery." A nonce, in the cryptography context, is an arbitrary number that can only be used once. Facebook concluded the confirmation of his $10,000 (£8,170) bounty award by thanking Muthiyah for his report and stating that "we look forward to receiving more reports from you in the future!" I have a funny feeling that the wait may not be too long.