Introduction
Have you ever wondered how secure your Instagram account is against brute-force attacks? It turns out that until recently it would cost a tech-savvy hacker $150 to be able compromise any Instagram account. This vulnerability was recently discovered a security researcher and patched by Instagram.
The vulnerability could have been exploited by initiating password recovery flow within Instagram mobile web interface. Instagram asked a user to enter a 6 digit code that it would send to your mobile number. An attacker could successfully perform a 6 digit code brute force attack within password recovery in order to successfully reset Instagram account password.
A brute-force attack is a when somebody sends a large number of authentication attempts while rotating the secret values to pick the right secret (in this case 6 digit code). Instagram implemented anti-brute force controls to limit the rate at which those attempts could be made. Instagram would normally block 75% of brute force attempts making the attack not feasible. But this rate limit could be successfully bypassed by sending attempts from different IP addresses concurrently as illustrated below:
The attacker would need 5000 IP addresses to pick 6 digit combination (1,000,000 attempts). One could get those IP addresses together with VMs needed to perform the attack from a cloud provider like Google Cloud Platform, AWS or Azure for roughly 150 dollars.
The security researcher who found this vulnerability was awarded a $30,000 bug bounty from Instagram owner: Facebook.