This 26-Year Old Chennai Guy Has Won Rs 29 Lakh As Reward For Identifying Bugs In Facebook, Instagram!
We have a hero amongst us – Laxman Muthiyah, who identified two bugs in one of the world’s most popular social media sites, Facebook-owned Instagram, within a month of each other.
He got rewarded $30,000 and $10,000 for finding out these bugs and showing them to Facebook and Instagram.
What is this bug in Instagram for which Laxman Muthiyah got awarded $10,000? Find out all about the bug right here!
Laxman Muthiyah Identifies Bug In Instagram; Gets Rewarded by Facebook
In July, Laxman Muthiyah, who is a security researcher based out of Chennai, detected a bug in the app of Instagram, which fetched him $30,000 in reward. And now, he found a bug in Facebook-owned Instagram too. Both the bugs that he detected are quite similar to each other.
In his blog, Muthiyah says that he identified a vulnerability in the app which enabled him to hack into any account without ‘consent permission.’ He also says that Instagram and Facebook have fixed the bug, and it doesn’t exist anymore.
Facebook admitted to the presence of the bug in a message to Muthiyah, saying, “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery.”
The platform, this time, awarded him with $10,000 as a part of their bug bounty programme. Facebook offers a bounty, that is a cash prize if they detect a bug in their platforms, such as Facebook or Instagram.
All You Need To Know About The Bug on Instagram
In his blog, ‘How I Hacked Instagram Again’, Muthiyah goes on to explain the details of the bug he discovered on Instagram.
In his blog, Muthiyah states that Instagram server uses a person’s device ID as a unique identifier to verify a password reset code. He says, “When a user requests a pass code using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the pass code.”
If a hacker puts up a request codes of 1 million users in order to complete the attack. This also has to be done with a 100 per cent success rate. There is a ten minute window, which means that the attack should be done within a ten minute time span only.
The bug that Laxman Muthiyah detected in July, is very similar to this one. However, both bugs have been fixed by Facebook.