By 
An autonomous researcher, Laxman Muthiyah, made a $30,000 bug bounty from Facebook after noticing a flaw in the mobile recovery procedure.
Muthiyah took a look at Instagram’s mobile recovery weakness, which involves a user receiving a six-digit password to their mobile number for two-factor account verification (2FA).
“Therefore, if we are able to try all the 1 million codes on the verify-code endpoint, we would be able to change the password of any account,” he explained in a Sunday posting.
While trying 1 million codes in the 10 minutes before the one-time password expires sounds a bit troubling, this kind of brute-forcing is likely with an computerized script and a cloud service account, he said.
“In a real attack scenario, the attacker needs 5,000 IP [addresses] to hack an account,” he said. “It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”
The recovery mechanism does have a rate-limiting protection – i.e., the number of log-in attempts within a set amount of time from any one IP address is restricted. In Muthiyah’s first attempt, he sent around 1,000 requests, but only 250 of them went through. However, he also discovered that Instagram doesn’t blacklist IP addresses that have exceeded the number of allowed attempts for a certain time period, so he could toggle between IP addresses in order to perform a continuous attack.
Also, he was able to confuse the rate-limiting mechanism by sending concurrent requests, resulting in a race condition or hazard, to double the number of attempts that would go through.
“I found two things that allowed me to bypass their rate-limiting mechanism: Race hazard and IP rotation,” he said. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of requests and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need thousands of IPs to perform the attack.”
