City-based techie reports bug on instagram, gets reward
Tech savvy Laxman, a security researcher, received a whopping $30,000 cash prize from Facebook for finding a bug on social networking service company, the Facebook-owned photo-sharing app Instagram, when he took part at a bug bounty programme
"The bug I found enabled me to hack into anyone's account", says the youngster.
Explaining how he figured out this vulnerability, Laxman says, “When any user wants to log in or asks for a password reset of a random account without knowing the original password, he/she is required to enter his/her username and a 6 digit code sent to his/her registered mobile phone number. I tried this out with my own account to alert the service providers to the flaws in the system. As I started entering random codes to get the permit to reset my password, my IP got locked after 40/ 50 time. Then I moved on to cloud computers and used 1000 such computers, and after sending 2 lakh codes, I was successful and the system unlocked the option for a reset. I did not have to send 10,00,000 codes which is the minimum required for any password reset.”
He shot a video of himself doing the entire process and sent it to Facebook’s security team, shortly after which the team acknowledged the faulty system and started working on it.
This is not the first victory for this security researcher. “I had participated in a programme in 2015 in which I showed them how it was possible to delete any picture album from Facebook. Options to view the pics saved on users’ phones and not uploaded on Facebook, was another security breach I had pointed out.”
When asked about security flaws which still concern him, Laxman asserts, “Earlier there was a hidden feature on the Facebook app called photo back-up which would automatically send your photos to the site’s server as soon as you log in through the app and give them the permission to access your phone’s media files. You needed to turn it off manually. But now anyone could view your pic through any third party application. After I reported it, the feature was removed.”
Laxman has a piece of advice for all the internet users who are not much aware of how much their safety could be at stake. “I always advise internet users to turn on the 2-factor authentication feature. This feature keeps your data safe.”
Speaking about his other interests, Laxman says, “I am always exploring and learning the latest technology and this makes me happy,” says the expert who has a degree in computer engineering. “I had worked as a web-developer for a year in 2015, but I had always wanted to have an organisation of my own and I now own a web developer company”.