Facebook recently paid $30,000 to a security researcher who found a critical flaw that could have enabled threat actors to hack Instagram accounts by taking advantage of the app’s password recovery mechanism for mobile devices.
Instagram forces users requesting a password change to enter a six-digit code within 10 minutes of receiving the code on their mobile phone. In order to prevent brute-force attacks aimed at cracking the six-digit code, Instagram used a form of rate-limiting. However, this mechanism was flawed and could be bypassed, the researcher found. As a result, any threat actor willing to spend around $150 in order to obtain 5,000 IPs from “a cloud service provider like Amazon or Google” would have been able to try all of the one million possible six-digit codes for any Instagram account.
Read more: Instagram Account Takeover Vulnerability Earns Hacker $30,000