With the ever-growing technology, the world is moving towards an age where assets not only means money, property, cars etc. Data &  Information are also considered assets now. In this technology and the internet-driven world, data & information are being considered as one of the most important assets of any organisation. And just like every other asset, these assets can also be stolen or misused by people to either hamper the well being of the organisation or for personal benefit by any person. 

Facebook & Google, one of the biggest technology-driven companies have encountered data breaches at several instances. The growing reliance on data resources and databases has given birth to the need for higher data security. 

Data Security is a system which focuses on protecting digital privacy to prevent unauthorised users from accessing or modifying or attempting to corrupt important data stored on computers, databases or on clouds(Internet/Website). 

Recently, Laxman Muthiyah, 25-year-old computer science engineer, who is currently working as a security researcher, has found a bug in Instagram Application. The guy was investigating through the Instagram app about how Instagram users can access their accounts in case they have forgotten their passwords. During his observation, he observed a bug in the app that would let any hacker or intruder, take over and access the account of any user using the account recovery process. (The process that let’s user access their account in case they have forgotten the password.)

When a user forgets the password to its user id, he/she has the option to go to forget password menu and send a request for a new password. The process involves a user authentication stage, where the server sends a 6 digit code to the user to their registered mobile number or e-mail and the user has to input those numbers within 10 minutes of requesting the code. This leads the user to the next page where they can reset their passwords.

However, there are only a countable number of 6-digit-codes. In all 900,000 combinations are there of 6 digit numbers only. But yes, it is not possible to input those 900,000 numbers in just 10 minutes. One reason is that it is not practically possible. The other reason being that even if someone uses a tool or a supercomputer to try all 900,000 combinations, Instagram has limited the number of trials to 250 per IP address only.  

However, as told by Laxman, this limit of 250 attempts can be surpassed by sending a large number of requests using multiple IP addresses and that too simultaneously. He has also uploaded a video about how he managed to get 200,000 attempts limit from the Instagram server for trying to input those numbers using the “Brute Force” technique. 

Brute Force is a technique that is used by intruders/hackers to perform trial and error method to decode encrypted data such as passwords or Data Encryption Standard (DES) keys. This does not involve any intellectual activity, but only exhaustive efforts to break into the system using multiple combinations of figures/codes in multiple trial attempts.

He uploaded a blog post about this which reads:
“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn’t find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour.”

Muthiah tells that their time-limit window of 10 minutes is the key to their rate-limiting mechanism. This 10-minute window makes it even harder to attempt the breach. As a result, he had to use 1000 machines to duplicate 1000 IP addresses to send multiple requests at nano-intervals (Almost simultaneously) to have obtained the limit of 200,000 attempts. The major shortcoming was that if anyone used 5000 machines all at once, then they would have obtained 10,00,000 attempts and would have had enough time to try all the 6-digit combinations to finally breach into the account.

After Muthiyah reported the bug to Instagram, they verified the authenticity of the news by working on it themselves. Also, they have affirmed that they have rectified the code to remove the bug and have not obtained any evidence of this bug being misused by anyone. That’s good news though.  

Instagram also recognised the ethical act of sharing the bug with Instagram, which helped them to remove at the earliest and save the susceptible data breach. Laxman was awarded $30,000 (Approximately Rs. 20,50,000) for his gesture and was given a place in Bug-Bounty program. Laxman has also earned a $ 10,000 bounty from Facebook earlier, for detecting a bug regarding looking at the private photo. 

These tech-giants run a bug-bounty program, where they invite and welcome people from around the world to test their applications and websites to detect bugs/loopholes in the coding system and prevent the breach of the website by helping them in correcting the same.

If you enjoyed this article, also read: