Instagram Accounts Left Open To Hacking

In June 2018, Instagram had amassed one billion monthly active users worldwide with the USA being the largest user group and the UK 8th on the demographics chart with a total of 23 million users.

Facebook purchased Instagram in 2012 and combined they are the two most popular social media networks used worldwide.

What happened?

In July of this year a critical vulnerability was discovered in Instagrams’s 2-step authentication password recovery feature allowing hackers to compromise any Instagram account in only ten minutes without the account holder being aware.

2-step or two factor authentication is an additional layer of security added to websites, including Amazon, Google, Microsoft and Twitter, to mention a few, to make it harder for hackers and fraudsters to access your online accounts. There are various types of two factor authentication however mobile text verification is still the most widely used and it is the type of authentication used by Instagram.

How was the vulnerability identified?

The flaw in Instagram’s recovery system was found by Laxman Muthiyah, a bug bounty hunter.

He investigated the password recovery feature that allows users to regain access to their account after forgetting their password. This involves a user receiving a six-digit passcode to their smartphone for authentication.

He knew that the use of 6 digits meant there could be a total of 1 million possible combinations that could be text to account holders.  To be able to access an account all 1 million codes would need to be tried within the 10 minute window between receiving the code and the code expiring.

Although this seems impossible, it can be done with mass brute-force campaigns using an automated script and a cloud service account.

“In a real attack scenario, the attacker needs 5,000 IP [addresses] to hack an account,” he said. “It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”

Log-in attempts from one specific IP are restricted by Instagram, however Muthiyah discovered that they didn’t blacklist the IP addresses that had exceeded the number of allowed attempts for a certain time period which meant he could he switch between IP addresses in order to perform a continuous attack.

“I found two things that allowed me to bypass their rate-limiting mechanism: Race hazard and IP rotation,” he said. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of requests and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need thousands of IPs to perform the attack.”

He provided the evidence to Facebook, they verified the issue and congratulated him, awarding him with a $30,000 bounty, whilst swiftly resolving the glitch.

“The Facebook security team was convinced after providing the above video of sending 200K valid requests,” Muthiyah said. “They were also quick in addressing and fixing the issue.”

Are other websites vulnerable to this threat?

There are many different forms of two-factor authentication, such as app-generated codes, physical authentication keys, email-based systems and app-generated authentication but many 2FA schemes still use mobile text verification involving six-digit, one-time passcodes that expire within a few minutes. So how many services are vulnerable to the same kind of attack?

Almost all well-known websites use some form of two-factor authentication and it is clearly more effective than just a username and password but 2FA attacks are on the rise and many of the systems for account recovery are susceptible to phishing. With the amount of websites using 2FA increasing, it is important these flaws are found and eliminated quickly.

We have to bear in mind when online that although 2FA provides additional security it is not completely watertight.

Last year, an Android Trojan was exposed taking money from PayPal accounts even when 2FA is active. Posing as a battery optimisation tool, the app asked for excessive accessibility permissions, allowing it to observe activity on other apps and waiting for someone to open PayPal and log in.

What you can do

Google and Microsoft both have Authenticator Apps you can use for an added layer of security, downloadable from the Microsoft Store and Google Play, however where there is an app or a website, there is always a hacker trying to break the code and access your details. Get tips on how to stay safe online at https://www.getsafeonline.org/

Leave a Reply