Laxman Muthiyah has won $30,000 as a part of a bug bounty programme after he spotted a flaw in Instagram. He is a Chennai-based security researcher.
He said this unprotected feature allows him to “hack any Instagram account”.
He discovered it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account, reported by The Hindu.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few emails and proof of concept video, I could convince them the attack is feasible,” Mr Muthiyah wrote in a blog post.
Facebook and Instagram security teams fixed the issue and rewarded him $30,000.
Paul Ducklin, Senior Technologist at cybersecurity major Sophos, however, warned while the vulnerability found by Muthiyah no longer existed, users should familiarise themselves with the process of getting back control of their social media accounts, in case they get hacked. NDTV reported.
“In case any of your accounts do get taken over, familiarise yourself with the process you’d follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards,” Ducklin said in a statement.