author photo
By SecureWorld News Team
Tue | Jul 16, 2019 | 4:48 AM PDT

A security researcher earned a nice bounty payout from Facebook after demonstrating an account takeover vulnerability. 

Threatpost reports:

A researcher earned a $30,000 bug bounty from Facebook after discovering a weakness in the Instagram mobile recovery process that would allow account takeover for any user, via mass brute-force campaigns.

Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes.

“Therefore, if we are able to try all the 1 million codes on the verify-code endpoint, we would be able to change the password of any account,” he explained in a Sunday posting.