Laxman Muthiyah, a techie from Chennai, the capital of Tamil Nadu, India recently discovered a new account takeover vulnerability on Instagram, the photo and video sharing application. He won a sum of USD 10,000 as part of the app’s bug bounty programme.
The security flaw basically allowed attackers to hack Instagram accounts without permission.
Muthiyah had also won USD 30,000 just a month ago in July when he shed light on another security vulnerability for Facebook, the same parent company.
"Facebook and Instagram security team fixed the issue and rewarded me USD 10000 as a part of their bounty programme," said Muthiyah in a blog post.
Muthiyah had discovered that the same device ID that Instagram uses to validate password resets, could also be used to request more than one passcodes of various users.
"You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery," said Facebook in a letter to Muthiyah. The company has since fixed the issue.