Instagram Login Vulnerability Could Allow Account Takeover in Minutes

A researcher has found a way to break into Instagram accounts within minutes. As discovered, an Instagram login vulnerability could let potential hackers bypass two-factor authentication.

Instagram Login Vulnerability Discovered

As revealed in a recent blog post, the researcher Laxman Muthiyah spotted a flaw that threatened Instagram users. He discovered an Instagram login vulnerability that could let an attacker bypass 2FA.

While looking for a probable flaw within the Facebook and Instagram platform, he tested the Instagram forgot password endpoint. While there seemed no problem with the password reset link on the web interface, the mobile platform told a different story.

Like a usual verification method, the platform sent a six-digit password reset code to a user’s mobile number. And, like other codes, it was possible for an adversary to brute force the code. The researcher believed there would be some rate-limiting to prevent brute-forcing.

Whilst the platform does apply rate-limiting, he also noticed two methods for which to bypass such limiting: the absence of IP blacklisting and a race condition. As stated in his blog,

Yet, it was not as easy as it sounds. The researcher explained that the code would expire within 10 minutes. So, to successfully exploit the flaw, an attacker would have to perform the attack using 1000s of IPs.

While the researcher has given the PoC in his blog post, he has also demonstrated the attack in the following video.