Indian hackers are top of earning bounty from Facebook Bounty of crores rupees i.e. reward to Indian Hackers. In fact, tech companies such as Facebook run bug bounty programs, whereby loopholes, which are also called bugs, are rewarded for finding. Recently, Facebook increased bug bounty for account takeover.
A computer science student from Tamil Nadu, Laxman Muthiah, has exposed one of the biggest drawbacks of Instagram. Under this drawback, an Instagram account could be hacked. There was no need for the user's concert for this.
Facebook and Instagram corrected this flaw, and Laxman has given a reward of 30,000 dollars (approximately 20.56 lakhs) to Facebook. According to Laxman, he has found a bug in Instagram that is in the way of resetting passwords. He said that he could hack any instagram account because of this bug.
Laxman has said, "Through the Instagram web interface, I tried to reset the password, but here the Facebook link uses the password reset option which is quite strong. I did not find any bugs in this After this I tried the Mobile Recovery Mode. Here I got a leak because he (Instagram) sends six digit code for recovery, which comes on the user's mobile number.
There is always an option in the six digit code password reset system that if any of the details of the password can be changed on the Verify endpoint, if you try to get 10 million codes. But Lakshman says that he knew that a rate-limiting system would have been installed in the 6-digit code to avoid Brute Force Attack.
According to Laxman, they sent around 1000 requests to test it, out of which 250 were requested, but out of these 650 request rate became Limited. Even after this they did the tray, but they did not succeed.
Here's a drawback he did not notice. It is that many times even send requests, but there are no blocks. They did not get blocked, they requested continuously. Here, they realized the instabilities of Instagram, because they were successful in bypassing the rate limiting. For this bypass, Race Hazard and IP Rotation were responsible.
He has used more than 1000 IPs for this attack. Due to repeated requests from different IPs, they would have avoided having limited liabilities. If you do not know about Race Hazard then tell that this is a kind of electronic process.
Simply put, the Race Hazard is created when large-scale data is read and written at the same time and the machine overwrites the old data with the new one, but during this time the old data should be read. Would have been Usually, computer crash information is received during this time. Race condition or race hedgehard may also happen during the injection process in the wrong order.
If all these terms are getting more technical for you, then understand that Laxman has found a bug in the manner of resetting Instagram mobile password and continuously attempts to reset that password. He told Facebook about this. But due to lack of information, Facebook did not initially accept, but after sending some emails and proof-of-concept with it, this young man convinced Facebook that there is a weakness in Instagram.
Lakshman says that the attacker needs 5000 IPs to hack an account in Real Attack Synergy. This is a big deal, but it is also easy to see, because you can use Amazon and Google's cloud service to do this.
Facebook fixed it soon and gave a rewards of $ 30000 under the bounty.
