Facebook has awarded Chennai-based security researcher Laxman Muthiyah $10,000 for spotting a flaw in the Instagram app. This relates to a new account takeover vulnerability in Instagram. The vulnerability, now addressed, could have enabled anyone to hack Instagram accounts without consent permission. the payment was awarded as part of Facebook’s bug bounty program.
Commenting on the newly identified weakness, Eve Maler, VP of innovation & emerging technology, ForgeRock tells Digital Journal: “It is fortunate that a white hat hacker identified Instagram’s vulnerabilities before a malicious actor did. However long the vulnerability was left unpatched, hackers with malicious intentions could have exploited millions of Instagram accounts for their own personal gain, such as spreading spam, misinformation and propaganda or demanding a hefty price for the return of the accounts or account details to their rightful owners.”
Maler notes that the Facebook security team have now addressed the vulnerability. However, as a general point she noted that “companies cannot solely rely on point-in-time testing by security researchers or IT personnel. Enterprises and organizations that manage large amounts of consumer data must utilize comprehensive security strategies that leverage real-time, contextual and continuous authentication and authorization management that identify anomalous behavior.”
As a further security measure, Maler recommends that “these real-time strategies must prompt further action for authentication, such as identity verification, when an unknown user is accessing a database of customer information, to put more barriers between threat actors and sensitive information.”
back in July 2019, Muthiyah also discovered a critical vulnerability in Instagram, linked to the password reset mechanism, that would permit an attacker to hack Instagram account without the victim’s knowledge or permission, in less than 10 minutes. For this he received a payment of $30,000.
This flaw existed in relation to a programming script that could be devised to concurrently input a massive number of guesses over a rotating list of IP addresses, in order to crack a user password. For this only a million different combinaitons were required – too many for a person but not for an automated system.
