Two vulnerabilities have been discovered in Instagram, which could allow malicious hackers to launch brute-force attacks against Instagram accounts.
Vulnerabilities allowed hackers to brute-force Instagram account credentials
A Belgian hacker Arne Swinnen received $5,000 bounty from Facebook after reporting two serious vulnerabilities in Instagram. These vulnerabilities were reported to allow hackers to launch brute-force attacks against Instagram accounts. This was possible using the photo sharing app's official Android application and through its registration page on Instagram.com. This vulnerability could have been exploited to conduct brute-force attacks because the authentication system allowed 1,000 guesses from one IP address before it displayed the message that the username didn't exist. This message was also displayed only until the 2,000th attempt, from where on system provided one "the password is incorrect" response and another "user not found" response.
The researcher says that the attacker could create a script that replayed the unreliable responses (i.e. "the password is incorrect") until "the response changed to 'username not found', although the user obviously still existed."
The next consecutive 1000 guesses resulted in the “username not found” response error message. From the 2000th consecutive guess onward, a reliable response (password correct/incorrect) was followed by an unreliable one (user not found):
The attacker then could have logged into the compromised account from the same IP address that was used to brute-force the password. Since this indicated that the security controls weren't designed to protect accounts against unauthorized logins, Facebook has now fixed the issue, along with another that used the app's website registration page. The security researcher had submitted these vulnerabilities in December 2015, and then in February this year. Facebook apparently fixed both the exploits, however, researcher found one of them wasn't working. New fixes have been released this month and researcher has confirmed their effectiveness.
For more details, please visit Swinnen's blog post.