As you already know, not every social media platform is 100% safe to use as there might be some bugs that can put the security at risk.
Laxman Muthiyah, the Chennai-based security researcher who has found a flaw in Instagram and won $30,000 from Facebook, claimed that he has found another new account takeover vulnerability on the photo and video-sharing app and this time he won $10,000 according to social network’s bug bounty programme.
This new vulnerability that Muthiyah reported was similar to the previous one that he found on Instagram. Today according to Muthiyah report facebook has fixed this issue.
He also mentioned that “Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty programme,”
Muthiyah found that the same device ID – the unique identifier used by the Instagram server to validate password reset codes – can be used to request multiple passcodes of different users. He discovered that this vulnerability can lead to Instagram accounts hack.
After he discovered this issue, Facebook announced that “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery,”.
During the previous issue finding by Muthiyah, He discovered that it is possible to take over someone’s Instagram simply by using the password reset option and then requesting a recovery code or quickly trying out possible recovery codes against the account.