Serious Instagram 2FA Loophole Patched

instagram 2fa loophole fixFacebook has had a bug bounty program that allows independent researchers to report security flaws for almost a decade now. Only recently, a very serious issue concerning Instagram account security was patched after a researcher managed to find a way to brute-force more or less any Instagram account and gain control over it.

The find landed Laxman Muthiyah an award of $30 thousand. The severity of the issue he discovered more than justifies that sum. Muthiyah discovered a weakness in the two-factor authentication procedure that relies on a code sent to the user's mobile phone. Instagram generates a six-digit code that Muthiyah decided to brute-force, but worked out that there would be about a million combinations. The only issue was the limited time window in which the randomly generated six-digit code was active - Instagram keeps the code valid for just ten minutes.

Instagram 2FA work-arounds exploited

To get around the problem of brute-forcing and feeding a million attempts in that short span of time, Instagram had a limit on the attempts made within a time window, but that only covered a single IP address. Muthiyah pointed out how bad actors interested in hacking an account would either be abusing a large number of cloud accounts that are legitimately offered by services like Amazon or Google, or would resort to a pre-established network of hacked systems, which is the case of most botnets.

The attack Muthiyah managed to mount used a $150 setup of cloud accounts and was recorded on video for the Instagram / Facebook security team, who have since addressed the issue.

This sort of attack vector is not the only way hackers have found to circumvent two-factor authentication. There have been cases of bad actors redirecting the victim to a fake 2FA code page, scooping up the code entered there and then using it to gain control of the account in question.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.