Facebook Rewards This Security Researcher with $10k for Discovering Instagram Passcode Flaw

An Indian security researcher named Laxman Muthiya is known as a bug Hunter due to his ability to find loopholes in social media platforms. Just a month ago, Muthiya spotted a flaw in Instagram and Facebook rewarded him with $30,000. The team of Facebook appraised Laxman for finding the hack in the platform and eventually helping the platform to make it more secure for the users.

Flaw discovered on Instagram by Indian bug hunter

Now on Monday, this bug hunted discovered another flaw in the photo and video-sharing app. The team of Facebook offers a bug bounty program for researchers to detect flaws in the platform and eventually rewards them. So, Laxman discovered a loophole in Instagram again and this time he won $10,000 from Facebook.

In July, Laxman reported the flaw in Instagram that could easily enable anyone to hack Instagram accounts and use it without the acknowledgment by users. Although Facebook fixed the vulnerability found by Laxman previously but this new loophole is also similar to that previous one.

According to Laxman, information of the same device ID, the identifier by the Instagram server to authenticate password reset codes can be used in a way that can create multiple passcodes for different users. Laxman displayed that this minor mistake can result in the hack of millions of Instagram accounts.

Detailed insight on how Instagram accounts were hacked again

Instagram uses device ID as a unique identifier to validate password reset codes. Whenever a user tries to reset passcode through mobile phone, along with the request Instagram server also sends user device ID, The device ID is used to again verify the passcode.

The same Device ID can also be used in a way that can help hackers to request multiple passcodes resets for a variety of users.

If you look at the possibilities of a 6 digit passcode you’ll see millions of them. When hackers request the passcode for multiple users, they eventually increase the probability to hack accounts easily. If a hacker requests for 1 million user passcode resets this means that he can hack one million accounts easily by increasing the possibilities of passcodes.


For a hacker to access Instagram accounts with a 100 percent success rate, all he’ll need is to request 1 million users passcode reset. Also, keep in mind this hacking trick can only happen within 10 minutes. This vulnerability is over now because this issue was resolved by the Facebook security team when Laxman submitted his proposal regarding the hack of Instagram accounts.

Bottom Line

Facebook and Instagram are one of the largest social media platforms and there is nothing else that scares the users more than the ability of hackers to access their personal information. Laxman is a researcher known for his ability to detect loopholes even in the most secured platforms as well, this hacking strategy by Laxman was praised by the team of Facebook. The reward by Facebook shows how much they prefer people to bring out the loopholes from the platforms to help them make it the best experience for the users.



Read next: Instagram will ‘tweak’ the Stories Ad frequency
Previous Post Next Post