Technology
Indian bug hunter finds flaw in Instagram, wins $30,000
New Delhi, July 18
Chennai-based security researcher Laxman Muthiyah has won $30,000 as a part of a bug bounty programme after he spotted a flaw in Facebook-owned photo-sharing app Instagram.
Muthiyah said the vulnerability allowed him to to "hack any Instagram account without consent permission."
He discovered it was possible to take over someone's Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
"I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible," Muthiyah wrote in a blog post this week.
Facebook and Instagram security teams fixed the issue and rewarded me $30,000 as a part of their bounty programme, he added.
Paul Ducklin, Senior Technologist at cyber security major Sophos, however, warned while the vulnerability found by Muthiyah no longer existed, users should familiarise themselves with the process of getting back control of their social media accounts, in case they get hacked.
"In case any of your accounts do get taken over, familiarise yourself with the process you'd follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards," Ducklin said in a statement.
Muthiyah earlier identified not only a data deletion flaw, but also a data disclosure bug on Facebook.
The first bug could have zapped all your photos without knowing your password; the second meant tricking you to install an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account.
"To be clear: he found those holes in compliance with Facebook's Bug Bounty programme, and he disclosed them responsibly to Facebook," Ducklin said.
"As a result, Facebook was able to fix the problems before the bugs became public, and (as far as anyone knows) these bugs were patched before anyone else found them," he remarked.
Muthiyah said the vulnerability allowed him to to "hack any Instagram account without consent permission."
He discovered it was possible to take over someone's Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
"I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible," Muthiyah wrote in a blog post this week.
Facebook and Instagram security teams fixed the issue and rewarded me $30,000 as a part of their bounty programme, he added.
Paul Ducklin, Senior Technologist at cyber security major Sophos, however, warned while the vulnerability found by Muthiyah no longer existed, users should familiarise themselves with the process of getting back control of their social media accounts, in case they get hacked.
"In case any of your accounts do get taken over, familiarise yourself with the process you'd follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards," Ducklin said in a statement.
Muthiyah earlier identified not only a data deletion flaw, but also a data disclosure bug on Facebook.
The first bug could have zapped all your photos without knowing your password; the second meant tricking you to install an innocent-looking mobile app that could riffle through all your Facebook pictures without being given access to your account.
"To be clear: he found those holes in compliance with Facebook's Bug Bounty programme, and he disclosed them responsibly to Facebook," Ducklin said.
"As a result, Facebook was able to fix the problems before the bugs became public, and (as far as anyone knows) these bugs were patched before anyone else found them," he remarked.
6 hours ago
Akshara Haasan says her part in ‘Simulacra’ demanded different level of maturity from her
6 hours ago
Sonakshi Sinha warns paps not to capture inside car visuals, refuses to get inside till they stop shooting
6 hours ago
Trump says US will take over Hormuz, become its 'guardian angel'
7 hours ago
Uttar Pradesh: Case filed against American national for entering India without valid documents
7 hours ago
Trump, Netanyahu, Meloni among 13 world leaders featured on Iran's "revenge list"
7 hours ago
"Get ready for sudden death": Iran issues chilling warning after Trump ally's demise
7 hours ago
US Senator Lindsey Graham passed away due to 'aortic dissection', says preliminary medical report
7 hours ago
Houthi TV reports Saudi airstrikes on Sanaa airport
12 hours ago
Vidhatri Bandi recalls losing her father just days before filming 'Max, Min and Meowzaki': Was devastatingly numb
12 hours ago
Keanu Reeves opens up on life lesson he got from bike racing
12 hours ago
New ‘Batwara 1947’ poster symbolises hope and resilience in turbulent times
12 hours ago
Anu Malik on working with Hema Malini in ‘three films’: Those memories will always remain close to my heart
12 hours ago
Shilpa Shetty: Gratitude has always been the bedrock of my life
