Researcher Claims He Could Have Brute Force Hacked Any Microsoft Or Instagram Account
When someone resets a password, a code is typically sent to an account holder's email, which is then input into a website (or app) for verification purposes. Moreover, protections should prevent that code from being brute-forced by a hacker, but this isn't always the case. Laxman Muthiyah, a security researcher, recently reported that he could have hacked any Microsoft or Instagram account due to flaws in how the password changing mechanism was implemented.
Last year, Muthiyah collected around $80,000 between two bug bounty programs from Facebook and Microsoft after finding similar issues with both companies' password change processes. In the Instagram vulnerability, a password recovery system misconfiguration could allow an attacker to guess all one million security code combinations to change any account password. This would have worked by using a range of IP addresses to send concurrent password change requests using the guessed codes. Muthiyah managed to fire off 200k password change requests in his tests which gave the attack a solid proof of concept.
In Microsoft's case, while sending password requests with security codes from one IP was not feasible, spreading it out over multiple IPs at the same time again worked. However, the attack had to be tweaked and timed perfectly so that the security systems on Microsoft's end would not pick up on the attack and blacklist IPs. Furthermore, Muthiyah explained that due to the complexity of the attack with nearly 11 million requests required, it would not be an "easy process to send such large number of concurrent requests." Something of this scale "would require a lot of computing resources as well as 1000s of IP address to complete the attack successfully."
However, just because a task is difficult to accomplish doesn't mean that hackers will sit idly by. If the target was someone of high value, such as a celebrity or political figure, it might be worthwhile to throw resources at hacking them. Thankfully, these issues have been fixed, and Muthiyah walked away with a cool $80,000.