Chennai-based security researcher Laxman Muthiyah is a hard-working IT professional who frequently spots errors and bugs in the backend of popular internet services and gets rewards in the bug bounty programmes. His most recent catch? A vulnerability in the code of Facebook's platform. Muthiyah found a bug in Facebook's and Instagram's code back in July and duly reported it to the company as part of its bug bounty programme.
In return, the Chennai security researcher was rewarded with $10,000 as promised in the bounty programme. In his official blog post, Muthiyah details the vulnerability which was present in Instagram's device ID feature.
Device ID is the unique identifier used by Instagram's servers to validate password reset codes. When a user requests a pass code using his/her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the pass code.
"Device ID is random string generated by Instagram application. So what if the same device ID is used to request pass codes of multiple Instagram accounts? I checked it and realized that same device ID can be used to request multiple pass codes of different users," said Mutiyah in his blog post.
According to him, while there are a million probabilities for a 6 digit code, an unethical hacker can increase the probability by requesting passcodes for several users. If the attacker were to request pass codes for 1 million users, it would be possible to hack all the one million accounts easily by incrementing the passcode one by one.
Laxman has helped Facebook resolve the bug, and he confirms that Instagram accounts can no longer be hacked using this vulnerability.