Do you remember the name Laxman Muthiyah?
We certainly do, because we’ve written about his bug-hunting work before – for example, he’s uncovered not only a data deletion flaw but also a a data disclosure bug on Facebook.
The first bug meant he could have zapped all your photos without knowing your password; the second meant that he could have tricked you into installing an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account.
To be clear: he found those holes in compliance with Facebook’s Bug Bounty program, and he disclosed them responsibly to Facebook.
As a result, Facebook was able to fix the problems for everyone before the bugs became public, and (as far as anyone knows) these bugs were patched before anyone else found them.
Back in 2015, those two holes together netted Laxman Muthiyah $22,500 in bug bounty money.
Laxman is back, this time with a surprisingly simple bug that was nevertheless worth $30,000.
It’s still Facebook paying out the bounty, but this time it’s for a flaw in the company’s Instagram platform rather than its eponymous Facebook network.
Very simply put, what Laxman discovered is that it was possible not only in theory but also in real life to take over someone’s Instagram account by:
- Triggering a password reset.
- Requesting a recovery code.
- Quickly trying out every possible recovery code against the account.
Seemed OK at first
Interestingly, Laxman’s initial tests suggested that Facebook had this one locked down safely.
He found that he could only try about 200 different codes before he got blocklisted, meaning that the Instagram servers would no longer let him make any more guesses.
The recovery codes have six digits, giving a million different possibilities each time, so he was 999,800 guesses short of what’s called a brute-force attack. (That’s where you try every possible code or password, not just the likely ones.)
And a so-called dictionary attack, where you stick to the most likely codes or passwords, such as 123456
or 8888888
, was no good either.
That’s because the recovery codes are chosen randomly, avoiding the vagaries of human predictability, so that codes such as 875415
, 681411
and 849867
are just as likely as 000000
, 111111
and 222222
– there’s no way to pick “the most popular passwords” to try first.
Likewise, he couldn’t try each code super-slowly, or wait quietly for a while after every 100 guesses to avoid tripping the alarm, because each recovery code was valid for only 10 minutes.
Even if Instagram would have let him try try a new batch of 200 guesses after, say, two minutes, he’d still have managed only 1000 out of 1,000,000 guesses before the code expired anyway.
What’s being blocked?
Laxman wondered, “Is the blocking down to the number of attempts against the same account, or is it down to the number of guesses from the same computer?”
In other words, if he had 201 different computers, each with a different IP number, and each computer made just one guess, would that trigger the 200-guess limit?
Or if he had 201 computers, would each one get 200 guesses of its own in the 10-minute window, giving him 201×200 = 40,200 guesses?
In fact, he tried with 1000 different IP numbers and was able to make 200,000 guesses without getting locked out.
From this he inferred that anyone with 5000 different IP numbers at their disposal could reliably try all one million recovery codes in 10 minutes (5000 × 200 = 1,000,000), and therefore complete the account recovery with certainty.
Who would have 5000 computers?
But who would have 5000 different computers and 5000 different IP numbers handy?
Well, Laxman estimated that setting up that sort of attack from a bunch of cloud accounts on Amazon or Google would cost about $150, so although you couldn’t easily hack everyone’s account with this trick, you could reliably and fairly cheaply hack someone’s account.
Also, don’t forget that cybercrooks with one or more botnets at their disposal – a botnet is a “network army” of malware-infected computers that can be instructed to kick off identical commands in unison – could probably activate 5000 simultaneous connections from 5000 different IP numbers all over the world at a moment’s notice.
Facebook must have agreed that this attack was more than just a theoretical risk – the company paid him $30,000 and fixed the hole, presumably by rate limiting the use of recovery codes on a per-victim basis rather than a per-attacker basis.
What to do?
- To protect your Instagram account from this attack, you don’t need to to do anything. Facebook altered Instagram’s server-side defensive mechanism unilaterally, so this attack no longer works.
- If you receive an account recovery code or a password reset message that you didn’t request, report it. It means that someone other than you is probably trying to take over the account, hoping you won’t notice until after they’ve had a crack at getting in.
- In case any of your accounts do get taken over, familiarise yourself now with the process you’d follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards.
- If you are programming a rate-limiting security system of your own, actively protect the victim as well as slowing down any attackers. In this case, limiting the scale of each individual attack is a good thing to do, but you also need a direct defence for the account that’s being attacked.
I’m curious as to what level this was done at. If it was just a cookie, you could delete the cookies and reset your 2000 guess limit. (2000 was an inordinately high limit anyway.)
Presumably it was at an IP level according to the report, but nothing concrete.
It was 200 per IP, it seems.
As you say, the report doesn’t make it clear but the wording actually implies that the limit didn’t kick in at precisely 200 because it sounds as though as though some later requests were handled, just at a very slow rate. Like you, I assumed it was IP reared given the symptoms.
It’s a pity the report doesn’t provide a bit more detail (e.g. try to rule out the content of the request as a factor) but I think the conclusions are fair enough…
Hello, I am having an issue with my Instagram password and wondering if I have somehow been hacked.
I am trying to use an instagram social growth platform-social buddy. It requires by insta password.
I didn’t remember my password because it would auto-log me in every time.
So in my insta settings < security < password < Email link to reset password.
I open the link I enter a new password, I enter the confirmation. Now is the weird part, when I click the Reset Password button I can see the 8 dots representing my new password get changed to something much longer, maybe twenty dots (It is changing the new password I just entered into something else and much longer, but I can't see it except for the dots). They are there for a second then it goes automatically back into my Instagram so now I have access to my insta but I still don't know what my password is, becuase it got changed in that second after I entered a new password.
It doesnt seem right that it would be an insta bug becuase no one else is writing about it.
Any advice??