Barely a month after winning $30,000 from Facebook for spotting a security flaw in Instagram, Chennai-based cyber-security researcher, Laxman Muthiyah, claimed to have won a further $10,000 from the tech giant for finding and reporting a new ‘account-takeover vulnerability’ in the photo and video-sharing platform. The new vulnerability was reportedly similar to the one he reported in July and, allowed hackers to access people’s Instagram accounts without their consent.
According to him, the vulnerability arose from the fact that Instagram was not using unique device IDs to validate password-reset codes requested by users. Once he found that the same device IDs were being used to request multiple pass codes of different users, he developed a proof-of-concept demo that showed the flaw can be exploited to hack random Instagram accounts.
Facebook has now fixed the vulnerability following his report, said Muthiyah. “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme”, he said. “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery”, Facebook reportedly said in a letter to Muthiyah.
Commentaires