bug bounty hunters can make a lot of money by reporting security vulnerabilities to tech companies. Chennai-based security researcher, Laxman Muthiyah has won $10,000 (approx Rs 7.18 lakh) in bug bounty for reporting vulnerability in the Facebook-owned photo sharing app, Instagram.
Laxman Muthiyah spotted a vulnerability that allowed anyone to hack Instagram accounts without prior consent of the account owners. Muthiyah found out that the device ID, which is used by the Instagram server to validate password reset codes can be used to request multiple passcodes of different users. He has demonstrated how the vulnerability can be exploited by cyber criminals to hack Instagram accounts.
When a user requests a passcode from the mobile device, the unique number (device ID) is sent along with the request. This device ID is a random string generated by Instagram app. The 6 digit passcode has one million probabilities, which helps Instagram to safeguard the user. Muthiyah found out that the same Device ID can be used to request multiple passcodes of different users. An attacker can possibly request pass code for 1 million users to complete the attack with 100% success rate.
The letter from Facebook reads, “After reviewing this issue, we have decided to award you a bounty of $10000. You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to then attempt recovery.”
He has been an active security researcher, he was in news last month for winning $30,000 (Rs 21.54 lakh) from Facebook for spotting another flaw in Instagram. The vulnerability could have compromised the user account in a similar manner where user could place multiple requests to reset the password.
Cyber security and data protection has become a top concern for internet platforms around the world.
Apple recently expanded the scope of its bug bounty program, offering up to $1 million in rewards.