Who is Laxman Muthiyah, Chennai bug-hunter who spotted big problem in Instagram? Know how to protect your account
Security Researcher Laxman Muthiyah came across vulnerability in Instagram account, which allowed him to hack any account without even consent permission.
Since last week, many news about Facebook-owned Instagram app have been reported. But one of the most interesting reports that caught the attention of scores of users was about the presence of a bug in the Instagram app. The bug was spotted by Chennai-based security researcher Laxman Muthiyah. In the past, Muthiyah has uncovered not only a data deletion flaw but also data disclosure bug in Facebook.
Who is Laxman Muthiyah?
Muthiyah has been self-employed for seven years. He has a Bachelor of Engineering and Computer Science degree. His major works have been in regards to finding bugs, data issue and other security problems in the Facebook account, for which the social media engine has not shied away in rewarding him.
Muthayah’s Instagram bug encounter
The researcher recently came across a vulnerability in Instagram account, which allowed him to hack any account without the consent of the account holder. His discovery from the research was that it was possible to take control of someone else’s Instagram account by just three simple actions - triggering a password reset, requesting a recovery code and quickly trying out every possible recovery code against the account.
Muthiyah even estimated that setting up that sort of attack from a bunch of cloud accounts on Amazon or Google would cost about $150, so although you couldn’t easily hack everyone’s account with the mentioned trick, you could reliably and fairly cheaply hack someone’s account.
Once the bug was recognised, Muthiyah reported the vulnerability to the Facebook team. As it was convinced about the potential threat in their security features both Facebook and Instagram team rewarded Muthiyah with $30,000 as a part of their bounty programme.
Surprisingly, this would not be Muthiyah’s first reward from Facebook. In 2015, he had won two rewards from the Mark Zuckerberg-led company. At first, Muthiyah was rewarded with $12,500 for finding a photo deleting vulnerability on Facebook’s program back in February 2015. In the next month March itself of 2015, Muthiyah received another reward of $10,000, for reporting Facebook about a vulnerability which allowed anyone to view private photos of a user.
What can you do to protect your Instagram account?
After Muthiyah’s revelation, Paul Ducklin, Senior Technologist, Sophos shares his insight with Zee Business Online on what Instagram users could do:
At first, to protect your Instagram account from this attack, you don’t need to do anything. Facebook altered Instagram’s server-side defensive mechanism unilaterally, so this attack no longer works.
Meanwhile, if you receive an account recovery code or a password reset message that you didn’t request, report it. It means that someone other than you is probably trying to take over the account, hoping you won’t notice until after they’ve had a crack at getting in.
On the other hand, in case any of your accounts do get taken over, familiarise yourself now with the process you’d follow to win them back. In particular, if there are documents or usage history that might help your case, get them ready before you get hacked, not afterwards.
Also, if you are programming a rate-limiting security system of your own, actively protect the victim as well as slowing down any attackers. In this case, limiting the scale of each attack is a good thing to do, but you also need a direct defence for the account that’s being attacked.