All NewsScience and Technology

Dangerous passwords: how a hacker hacked Instagram in 10 minutes

Cybersecurity expert Luxman Mutiyah found a way to hack any Instagram account in ten minutes – he said in his blog. According to Muthia, the vulnerability was in the password recovery system when a one-time numeric code was sent to the user to verify her identity.
Information security researcher Laxman Mutiyah told in his blog how he managed to hack Instagram in 10 minutes. Despite the fact that Facebook, which owns photo hosting, is constantly trying to improve security and prevent outside interference, the example of Mutiyi proves that it is possible to work on this problem indefinitely.
The expert has discovered a vulnerability in the password recovery system for his Instagram account. The fact is that when the user enters his phone number to resume access to the profile, Instagram sends him a six-digit numeric code, which he must enter to confirm his identity.
Laxman Mutiyah decided that if he could try a million different codes at this stage, then one would definitely fit, which would lead to a change of password for any Instagram account.
Nevertheless, the expert rightly decided that the photoservice would surely have protection against such an attack head-on.
Indeed, Instagram limited the number of shift requests that a user can send. Then, by way of calculations, Mutia found that for a successful hack he would need 5 thousand IP addresses, each of which would send 200 thousand requests. According to the hacker, it is not so difficult to implement, if you use the cloud service Google or Amazon. In this case, the entire attack will cost an attacker $ 150.
Muxiya Laxman sent his research to the administration of Facebook, which was convinced of the insecurity of the existing system. As follows from the letter sent by the leadership of the social network, the vulnerability to Instagram was eliminated, and Muttiya himself received $ 30 thousand in reward as a “bug bounty” – compensation for the identified shortcomings.
The expert also gave some tips to those who use Instagram to protect themselves and their data.
He recommends that you regularly change your password, use only unique and diverse combinations, and also use two-factor identification so that any account manipulations are performed only with the approval of the user.
In May of this year, it became known about the massive leak of personal information of bloggers and celebrities from Instagram – a total of about 50 million people suffered from it. A database containing the data of millions of Instagram stars using a popular photo hosting site was discovered on the Internet, according to TechCrunch. This database, located in the public cloud of Amazon Web Services, was in the public domain and was available to everyone.
As it turned out, each of the entries contained personal data from Instagram bloggers and influenza fans, including their biography, profile photo, number of followers, geolocation, as well as email and mobile phone number.
Shortly after the leak was talked about in the foreign press, the database went offline, and Facebook announced the launch of its own investigation.
“We will conduct an investigation in order to understand where the data, including email addresses and phone numbers, came from — from Instagram or other sources. We will also contact Chtrbox [the leakage company] to find out where they got this information from and how it was made publicly available, ”Facebook said in an official statement.
In June, the Instagram management reported on simplifying the procedure for recovering an account after hacking. The new system will ask the user a number of questions that will be able to confirm his identity, for example, the initial email address (if the hacker changed it) or the phone number. Then the user will receive a six-digit code to restore the account.
This method will help to return the profile to the owner, even if the attackers change all contact information to new ones, in order to complicate the restoration.
The news was enthusiastically greeted by Instagram users, who repeatedly complained about the impossibility of promptly returning the account, since the service support service is heavily overloaded with such requests.

Show More

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button