Facebook has had a bug bounty program that allows independent researchers to report security flaws for almost a decade now. Only recently, a very serious issue concerning Instagram account security was patched after a researcher managed to find a way to brute-force more or less any Instagram account and gain control over it.
The find landed Laxman Muthiyah an award of $30 thousand. The severity of the issue he discovered more than justifies that sum. Muthiyah discovered a weakness in the two-factor authentication procedure that relies on a code sent to the user's mobile phone. Instagram generates a six-digit code that Muthiyah decided to brute-force, but worked out that there would be about a million combinations. The only issue was the limited time window in which the randomly generated six-digit code was active - Instagram keeps the code valid for just ten minutes.
Instagram 2FA work-arounds exploited
To get around the problem of brute-forcing and feeding a million attempts in that short span of time, Instagram had a limit on the attempts made within a time window, but that only covered a single IP address. Muthiyah pointed out how bad actors interested in hacking an account would either be abusing a large number of cloud accounts that are legitimately offered by services like Amazon or Google, or would resort to a pre-established network of hacked systems, which is the case of most botnets.
#1 Reason Why You Need to Protect Your PC from Malware
Cyber criminals use phishing, malware, and other hacking techniques to obtain data and/or steal money. If you do not take action, your PC may be vulnerable to cyber attacks. What should you do?Get SpyHunter to Remove Malware Today!
The attack Muthiyah managed to mount used a $150 setup of cloud accounts and was recorded on video for the Instagram / Facebook security team, who have since addressed the issue.
This sort of attack vector is not the only way hackers have found to circumvent two-factor authentication. There have been cases of bad actors redirecting the victim to a fake 2FA code page, scooping up the code entered there and then using it to gain control of the account in question.