From PC Mag: A security researcher uncovered a bug in Instagram's account recovery process that could've been used to break into people's accounts.
Researcher Laxman Muthiyah found the bug while investigating how the social media app lets you regain access to your account in the event that you've forgotten your password. To prove your identity, Instagram can send a six-digit random code to your smartphone via SMS message. You'll then be asked to input the digits into the app.
Muthiyah wondered if anyone could "brute force" the process by inputting a huge number of combinations to try and guess the right code. As it turns out, you can, under certain conditions.
Instagram has some restrictions on inputting codes into the account recovery process. They include rate-limiting the number of guesses to 250 per IP address. The guesses must also be made within a 10-minute window.
Figuring out a six digit code means there are a million different total combinations to try. That's far too many for any human to input. However, Muthiyah found he could automate a brute-force attack against Instagram through its API. He did this by writing a programming script to concurrently input a massive number of guesses over a rotating list of IP addresses.
View: Article @ Source Site