Chennai-based security researcher Laxman Muthiyah has once again won $10,000 as a part of a bug bounty program after he second time in a row detected a flaw in Facebook-owned photo-sharing app Instagram.
The new bug that Muthiyah spotted was similar to the one he reported in July and enabled anyone to hack Instagram accounts without acquiescence.
The parent company of Instagram- Facebook has now fixed the vulnerability that Muthiyah reported.
“Facebook and Instagram security team fixed the issue and rewarded me $10,000 as a part their bounty program,” Muthiyah said in a blog post.
Muthiyah found that the same device ID- the unique identifier used by the Instagram server to authenticate password reset codes – can be used to request multiple passcodes of different users.
He highlighted that this vulnerability can be exploited to hack Instagram accounts.
Last month, Muthiyah discovered it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post.