A security researcher earned a nice bounty payout from Facebook after demonstrating an account takeover vulnerability.
Threatpost reports:
A researcher earned a $30,000 bug bounty from Facebook after discovering a weakness in the Instagram mobile recovery process that would allow account takeover for any user, via mass brute-force campaigns.
Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes.
“Therefore, if we are able to try all the 1 million codes on the verify-code endpoint, we would be able to change the password of any account,” he explained in a Sunday posting.