Laxman Muthiyah describes himself as a web developer, security researcher and sometimes a hacker in his Twitter profile. I think he does himself a disservice as a quick glance at his “Zero Hack” blog reveals he is a very talented, and pretty prolific, hacker. Luckily he’s also one of the good guys and uses his talents to find vulnerabilities that can then be fixed by the vendor before the threat actors can exploit them.
His latest discovery was a flaw in the way that Instagram handled the validation of password reset codes. A defect that meant an attacker could request 1 million password reset codes within a ten-minute window and with 100% success.
The Instagram hack background
Why use the “Nasty List” to steal Instagram account passwords when you can just use the system password reset process instead?
Back in July, Muthiyah revealed he found an Instagram vulnerability that allowed him to “hack any Instagram account without consent permission.” The Facebook security team, Facebook acquired Instagram for $1 billion (£820 million) on April 9, 2012, thought this was a serious enough problem that it awarded Muthiyah a $30,000 (£24,500) bounty for the disclosure. The vulnerability was quickly addressed and fixed. You can read more about it in this Forbes report from Lee Mathews, but the tl;dr is that it involved the Instagram use of six-digit password reset request validation codes.
See more at Forbes.