One researcher got $5,000 courtesy of the bug bounty program after he had found two flaws in the Instagram app which allowed cyber attackers to brute the Instagram accounts thereby allowing them entry into the accounts.
The bug bounty hunter Arne Swinnen, who is from Germany, managed to uncover the two flaws after finding the flaw in the Android app of Instagram and its website version, instagram.com. He discovered the first flaw back in December, after which he reported it to Facebook. It gave attackers an option to brute force the Instagram app on Android if they attacked the authentication domain.
The authentication system on the app allowed one IP to have about 1,000 guesses before it gave the message that the username does not exist. The message is only displayed after the attacker has already for the 2000th time, and after the many attempts, it starts giving only one response, which is either password is correct or incorrect, or user not found. Swinnen said that attackers could use the script until he changed an unreliable response to a reliable response. He managed to develop a script that could test 10,001 passwords against a test account.
Even more, his test disclosed that attackers could log into the account they have hacked into using the same IP address which was used to brute force the password. This shows that the security measures put in place to work against the unauthorized login of accounts wes not activated.
Swinnen reported the second flaw back in February this year. It affected the registration page of the Instagram website. He managed to use a test account and could get the request which was sent during the registration of the account to the Instagram servers. After giving the same request, a new message appeared which said: “These credentials belong to an active Instagram account.” Attackers could use the same method and create scripts which would send out requests for numerous passwords for the targeted username. If the message they got back was a fail, then the password was wrong, but if it’s the message that said the credentials are for another account, it meant the password was the correct one.
Facebook managed to address the issues after being notified. The company also changed the password policy according to Swinnen. He managed to get $5,000 from the social media network for his help and research.
Swinnen said that the brute force method was to be taken seriously especially since the company was just pushing out the two-factor authentication system recently.