A new vulnerability had been detected that could allow remote attackers to reset passwords on a user’s Instagram account and take complete control of it. This flaw resides in the password recovery feature of the mobile version of Instagram. When a user uses this feature on the mobile app, Instagram requires a six-digit code that is sent to the user to prove his/her identity. The passcode is sent via SMS or email to the user. The passcode is one of a million total combinations, which makes it easier for attackers to use a brute force attack to unlock the account. Instagram has a “rate-limiting” system that restricts the number of attempts that can be sent to the recovery page, but hackers simply send the brute force attack from different IP addresses to bypass the rate-limiting. Instagram allows the code to be active for 10 minutes, then they turn that code off and require the reset code to be resent. Attackers must work quickly so that they can perform the attack within that 10-minute window. The proof of concept video showed an ethical hacker was able to break into a user’s account with only 200,000 combinations.
Instagram has released a patch to fix this vulnerability in its latest update. Users should update their app as soon as possible. It is also recommended to enable two-factor authentication which would halt an attacker if they do happen to steal the associated password.