Instagram bug could have allowed anyone to take over your account

Do you remember the name Laxman Muthiyah?

We certainly do, because we’ve written about his bug-hunting work before – for example, he’s uncovered not only a data deletion flaw but also a a data disclosure bug on Facebook.

The first bug meant he could have zapped all your photos without knowing your password; the second meant that he could have tricked you into installing an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account.

To be clear: he found those holes in compliance with Facebook’s Bug Bounty program, and he disclosed them responsibly to Facebook.

As a result, Facebook was able to fix the problems for everyone before the bugs became public, and (as far as anyone knows) these bugs were patched before anyone else found them.

Back in 2015, those two holes together netted Laxman Muthiyah $22,500 in bug bounty money.

Laxman is back, this time with a surprisingly simple bug that was nevertheless worth $30,000.

It’s still Facebook paying out the bounty, but this time it’s for a flaw in the company’s Instagram platform rather than its eponymous Facebook network.

Very simply put, what Laxman discovered is that it was possible not only in theory but also in real life to take over someone’s Instagram account by:

1. Triggering a password reset.
2. Requesting a recovery code.
3. Quickly trying out every possible recovery code against the account.

Seemed OK at first

Interestingly, Laxman’s initial tests suggested that Facebook had this one locked down safely.

He found that he could only try about 200 different codes before he got blocklisted, meaning that the Instagram servers would no longer let him make any more guesses.

The recovery codes have six digits, giving a million different possibilities each time, so he was 999,800 guesses short of what’s called a brute-force attack. (That’s where you try every possible code or password, not just the likely ones.)

And a so-called dictionary attack, where you stick to the most likely codes or passwords, such as 123456 or 8888888, was no good either.

That’s because the recovery codes are chosen randomly, avoiding the vagaries of human predictability, so that codes such as 875415, 681411 and 849867 are just as likely as 000000, 111111 and 222222 – there’s no way to pick “the most popular passwords” to try first.

Likewise, he couldn’t try each code super-slowly, or wait quietly for a while after every 100 guesses to avoid tripping the alarm, because each recovery code was valid for only 10 minutes.

Even if Instagram would have let him try try a new batch of 200 guesses after, say, two minutes, he’d still have managed only 1000 out of 1,000,000 guesses before the code expired anyway.

What’s being blocked?

Laxman wondered, “Is the blocking down to the number of attempts against the same account, or is it down to the number of guesses from the same computer?”

In other words, if he had 201 different computers, each with a different IP number, and each computer made just one guess, would that trigger the 200-guess limit?

Or if he had 201 computers, would each one get 200 guesses of its own in the 10-minute window, giving him 201×200 = 40,200 guesses?

In fact, he tried with 1000 different IP numbers and was able to make 200,000 guesses without getting locked out.

From this he inferred that anyone with 5000 different IP numbers at their disposal could reliably try all one million recovery codes in 10 minutes (5000 × 200 = 1,000,000), and therefore complete the account recovery with certainty.

Who would have 5000 computers?

But who would have 5000 different computers and 5000 different IP numbers handy?

Well, Laxman estimated that setting up that sort of attack from a bunch of cloud accounts on Amazon or Google would cost about $150, so although you couldn’t easily hack everyone’s account with this trick, you could reliably and fairly cheaply hack someone’s account.

Also, don’t forget that cybercrooks with one or more botnets at their disposal – a botnet is a “network army” of malware-infected computers that can be instructed to kick off identical commands in unison – could probably activate 5000 simultaneous connections from 5000 different IP numbers all over the world at a moment’s notice.

Facebook must have agreed that this attack was more than just a theoretical risk – the company paid him $30,000 and fixed the hole, presumably by rate limiting the use of recovery codes on a per-victim basis rather than a per-attacker basis.

What to do?

• To protect your Instagram account from this attack, you don’t need to to do anything. Facebook altered Instagram’s server-side defensive mechanism unilaterally, so this attack no longer works.
• If you receive an account recovery code or a password reset message that you didn’t request, report it. It means that someone other than you is probably trying to take over the account, hoping you won’t notice until after they’ve had a crack at getting in.
• In case any of your accounts do get taken over, familiarise yourself now with the process you’d follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards.
• If you are programming a rate-limiting security system of your own, actively protect the victim as well as slowing down any attackers. In this case, limiting the scale of each individual attack is a good thing to do, but you also need a direct defence for the account that’s being attacked.

---