X X X X X X X X X X X X X X X X security Arne Swinnen ανακάλυψε στο Instagram security gaps that allow finding codes access of its members with brute force attacks. The security flaw would have allowed the researcher to gain access to around 20 million accounts.
The NVISO researcher reports that an authentication gap coupled with a direct object reference vulnerability allowed attackers to gain access to the 4% of accounts in temporary lock.
Facebook owned by Instagram rewarded Swinnen (@arneswinnen) with 5000 dollars to announce the vulnerability, and within 10 days developed a patch that corrects the security vulnerability.
Swinnen has discovered an account verification link with a test account and then started changing the user ID to the URL by testing a million accounts.
The verification format was different for different accounts. Some accounts were secure, while others allowed an attacker to intercept passwords.
"The case was quite embarrassing, as an attacker could collect sensitive user information (phone numbers) on the one hand, and on the other hand change the phone numbers associated with the victim's account on Instagram," Swinnen said.
More details from the link below:
https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/
