Chennai-based security researcher Laxman Muthiyah has won $30,000 as a part of a bug bounty programme after he spotted a flaw in Facebook-owned photo-sharing app Instagram.
Mr. Muthiyah said the vulnerability allowed him to to “hack any Instagram account”.
He discovered it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few emails and proof of concept video, I could convince them the attack is feasible,” Mr. Muthiyah wrote in a blog post.
Facebook and Instagram security teams fixed the issue and rewarded him $30,000.
Mr. Muthiyah has earlier identified not only a data deletion flaw, but also a data disclosure bug on Facebook.
The first bug could have deleted a user’s photos and the second could have tricked a Facebook user into installing a mobile phone app that could go through all the user’s pictures.