Instagram Account Takeover Vulnerability

July 18, 2019
Pasha Probiv

Introduction

Have you ever wondered how secure your Instagram account is against brute-force attacks? It turns out that until recently it would cost a tech-savvy hacker $150 to be able compromise any Instagram account. This vulnerability was recently discovered a security researcher and patched by Instagram.

The vulnerability could have been exploited by initiating password recovery flow within Instagram mobile web interface. Instagram asked a user to enter a 6 digit code that it would send to your mobile number. An attacker could successfully perform a 6 digit code brute force attack within password recovery in order to successfully reset Instagram account password.

A brute-force attack is a when somebody sends a large number of authentication attempts while rotating the secret values to pick the right secret (in this case 6 digit code). Instagram implemented anti-brute force controls to limit the rate at which those attempts could be made. Instagram would normally block 75% of brute force attempts making the attack not feasible. But this rate limit could be successfully bypassed by sending attempts from different IP addresses concurrently as illustrated below:

The attacker would need 5000 IP addresses to pick 6 digit combination (1,000,000 attempts). One could get those IP addresses together with VMs needed to perform the attack from a cloud provider like Google Cloud Platform, AWS or Azure for roughly 150 dollars.

The security researcher who found this vulnerability was awarded a $30,000 bug bounty from Instagram owner: Facebook.

Understanding Cyber Threats in 2023: How to Stay Ahead
Feb 25, 2023
Salman Mohammad
learn more
Computer Security: Protecting Your Personal and Professional Data
Feb 25, 2023
Salman Mohammad
learn more
The Top 5 Cybersecurity Trends for 2023: Protecting Your Information
Feb 25, 2023
Salman Mohammad
learn more
Crypto Attacks of 2022
Dec 17, 2022
Pasha Probiv
learn more
NewEgg Customer Credit Cards compromised for 1 month worth of transactions
September 20, 2018
Pasha Probiv
learn more
Users BTC Wallet Private Keys Compromised
November 28, 2018
Pasha Probiv
learn more

Get started

Don’t wait for a cyber attack. Start protecting your systems today.