Laxman told Bhaskar- Even after sending a thousand requests, my number was not blocked, I detected the bug here
Laxman got Rs 20 lakh reward from Facebook, has been invited to America; will participate in a conference from 6 to 12 August
Data Intelligence Desk: Laxman Muthiah, living in Tamil Nadu, recently highlighted a major drawback of the social media’s large platform Instagram. Any Instagram account could be hacked by changing the password. There was no need for the user’s permissions for this. Facebook has given Laxman $ 30,000 (approximately Rs 20.56 lakh) as reward for catching this loophole. Lakshman shared full experience with the Daily Bhaskar app. He also explained how he found a bug in Instagram and what he did for it.
A career can be made in Ethical Hacking, but markets like America are not available in India.
How did you get an opportunity to find bug on Instagram?
According to Laxman, Facebook is continuously increasing the security of its platforms. Because of this, the company has also increased the amount of reward, so that the flaws are detected quickly. I also tried my luck on Facebook and Instagram. Luckily I found a drawback in Instagram, which I could prove.
How you found bug on Instagram?
Laxman says the ‘Instagram Forgot Password’ was the first thing that came to my mind. This option is available for those who forget the password of their account. I tried to reset the password through the Instagram web interface. The company has given the link-based password reset mechanism, which is quite strong. After testing, I did not get any weakness in it.
Then how did you get success?
Laxman – I did not give up. I went on the mobile recovery flow. Here I was successful in finding a susceptible behavior. Whenever a user enters his mobile number, a 6 digit passcode is sent to him. The password can be changed using this passcode. If we try 10 million codes on Verify Endpoint, we can change the password for an account. Although I believed that there would be a limit set to avoid this. After this, I decided to test it.
How did you do the test, tell in simpler language?
I knew that in order to avoid brute force attack, the rate limiting system would have been installed in the 6-digit code. I sent 1000 requests for test. 250 of the requests were successfully sent. 750 request got rate limited. Even after this I continued to try. The account was not blocked for sending too many requests. This thing came to my mind. From here I realized the loophole in Instagram. Then I used more than a thousand IPs. Sent requests from different IPs. This saved me from getting limited and I found a loophole in the process of resetting Instagram passwords.
Why did you choose Instagram for this?
I have also tried on Facebook, but finding a bug there is very difficult. Finding bugs on Instagram is easier than Facebook. So I tried here.
Have you already hacked any platform?
Yes, I have done it. However, I spend more time on Facebook because I know it well. Instagram is also a platform for Facebook. Facebook reward is pretty good. So most people try on this platform. The bug I found in the Instagram, had I found it on Google, then maybe I could have got only 10 thousand dollars. While now I got 30 thousand dollars as a reward.
Do you also hack a website on demand?
Yes, I own a company. Do penetration tests. Charge for it.
What is the routine during this type of task?
I do not do this work every day I give more time to the software development work. During college years, I devoted a lot of time on hacking. Now the time has changed. I devote two to three hours in three days a week.
Ethical hacking can be seen as a career in India?
Yes of course. Cyber Security today is the need of everyone. However, it has not yet developed a big market in India. In countries like America, you can earn a lot of money in this work.
Any invitation from Facebook after this achievement?
Yes, Facebook has invited me to join the conference in the US. The invitation came two days back. I have applied for a visa. The conference is to be held from August 6 to August 12. A total of three people from India have been selected for the conference. I am also one of them.