Serious Instagram 2FA Loophole Patched

Facebook has had a bug bounty program that allows independent researchers to report security flaws for almost a decade now. Only recently, a very serious issue concerning Instagram account security was patched after a researcher managed to find a way to brute-force more or less any Instagram account and gain control over it.

The find landed Laxman Muthiyah an award of $30 thousand. The severity of the issue he discovered more than justifies that sum. Muthiyah discovered a weakness in the two-factor authentication procedure that relies on a code sent to the user's mobile phone. Instagram generates a six-digit code that Muthiyah decided to brute-force, but worked out that there would be about a million combinations. The only issue was the limited time window in which the randomly generated six-digit code was active - Instagram keeps the code valid for just ten minutes.

Instagram 2FA work-arounds exploited

To get around the problem of brute-forcing and feeding a million attempts in that short span of time, Instagram had a limit on the attempts made within a time window, but that only covered a single IP address. Muthiyah pointed out how bad actors interested in hacking an account would either be abusing a large number of cloud accounts that are legitimately offered by services like Amazon or Google, or would resort to a pre-established network of hacked systems, which is the case of most botnets.

The attack Muthiyah managed to mount used a $150 setup of cloud accounts and was recorded on video for the Instagram / Facebook security team, who have since addressed the issue.

This sort of attack vector is not the only way hackers have found to circumvent two-factor authentication. There have been cases of bad actors redirecting the victim to a fake 2FA code page, scooping up the code entered there and then using it to gain control of the account in question.