Security researcher Arne Swinnen discovered security holes in Instagram that allow passwords to be found access των μελών του με επιθέσεις brute force. Το κενό ασφαλείας θα επέτρεπε στον ερευνητή να αποκτήσει πρόσβαση σε περίπου 20 εκατομμύρια λογαριασμούς.
NVISO researcher reports that a gap in control ID cards combined with a direct object reference vulnerability allowed attackers to gain access to 4% of accounts that were in a temporary lock state.
Facebook owned by Instagram rewarded Swinnen (@arneswinnen) with 5000 dollars to announce the vulnerability, and within 10 days developed a patch that corrects the security vulnerability.
Swinnen has discovered an account verification link with a test account and then started changing the user ID to the URL by testing a million accounts.
The verification format was different for different accounts. Some accounts were secure, while others allowed an attacker to intercept passwords.
"The case was quite embarrassing, as an attacker could collect sensitive user information (phone numbers) on the one hand, and on the other hand change the phone numbers associated with the victim's account on Instagram," Swinnen said.
More details from the link below:
https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/