sb.scorecardresearch

Published 12:37 IST, August 27th 2019

Chennai engineer finds a bug in Instagram, wins over Rs 7 lakh bounty

Facebook awarded Laxman Muthiyah, a Chennai-based independent security researcher, with a bug bounty of $10,000 for discovering a major loophole in Instagram

Reported by: Tanmay Patange
Follow: Google News Icon
  • share
Instagram bug
null | Image: self

India has no shortage of talent. Recently, Chennai-based security researcher Laxman Muthiyah said he won $10,000 (more than 7 lakh rupees) for discovering a critical security loophole in the Instagram app. Muthiyah bagged such a massive cash-prize Facebook as part of the social networking giant's bug-bounty program. But did you know this is not the first time Muthiyah has managed to grab the attention of one of the world's major Technology and Internet company? Previously, he had won $30,000 (more than 21 lakh rupees) for spotting a similar bug in the Facebook-owned photo and video-sharing social networking service. In fact, in 2015 as well, Muthiyah had won $10,000 bug bounty from Facebook in another discovery.

Who is Laxman Muthiyah?

According to his LinkedIn profile, Chennai-based Laxman Muthiyah has been working as an independent security researcher since 2012. Muthiyah has studied Bachelor of Computer Engineering from Sri Venkateswara College of Engineering in Tamil Nadu.

What was the hack?

In his recent blog post, Muthiyah detailed the Instagram vulnerability. If exploited, it could allow an attacker access to any Instagram account in less than 10 minutes.

"There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts. For example, if you request pass code of 100 thousand users using same device ID, you can have 10 percent success rate since 100k codes are issued to the same device ID.  If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one," Muthiyah said

READ | Security researcher discovers major flaw in Truecaller's login process

"Therefore, an attacker should request codes of 1 million users to complete the attack with 100 percent success rate. We should also note the 10 minutes expiry of the code, so the entire attack should happen within 10 minutes," he added.

READ | 22-year-old Manipur boy discovers WhatsApp privacy bug, wins Rs 3,47,000 cash prize and enters Facebook 'Hall of Fame'

Furthermore, Muthiyah shared the screenshot of an email he received from Facebook. He also said that the Facebook security team has now resolved the issue. He also thanked the Facebook security team for rewarding him through its bug bounty program. Facebook has also acknowledged his contribution to its Hall of Fame for 2019.

Industry reactions

"The biggest challenge with most apps and cloud-based services is their ability to maintain the latest software updates: As software becomes outdated, new application updates are created to improve the functionality or security, and bugs in the programming get them fixed. If these updates are not administered quickly and properly, vulnerabilities do occur," said Diwakar Dayal, Managing Director of cybersecurity company Tenable.

Updated 12:59 IST, August 27th 2019