Instagram dans le mécanisme de Flaw Password Recovery donne accès complet
CYBER NOUVELLES

Instagram dans le mécanisme de Flaw Password Recovery donne accès complet

1 Star2 Stars3 Stars4 Stars5 Stars (Pas encore d'évaluation)
Loading ...

Le chercheur en sécurité Laxman Muthiyah a découvert une vulnérabilité critique qui aurait pu permettre à des attaquants distants pour réinitialiser le mot de passe des comptes Instagram, obtenant ainsi un accès complet aux comptes compromis. The vulnerability resided in the password recovery mechanism in the mobile version of Instagram.




When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account. But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it, le chercheur a écrit.

Race Hazard and IP Rotation Issues

The researcher’s tests revealed the presence of rate limiting. Apparemment, he sent around 1000 demandes, 250 of which went through and the rest were rate limited. Muthiyah performed the same test with another 1000 demandes, and discovered that Instagram’s systems were indeed validating and rate limiting the requests in a proper way. Cependant, the researcher noticed two things that puzzled him – the number of requests he was able to send, et the lack of blacklisting:

I was able to send requests continuously without getting blocked even though the number of requests I can send in a fraction of time is limited.

After several other tests, the researcher discovered that race hazard and IP rotation could allow him to bypass the rate limiting mechanism.

When does a race condition happen? Peu dit, a race condition happens when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be performed correctly.

Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited, le chercheur a expliqué. The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Aussi, I realized that the code expires in 10 procès-verbal, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack.

en relation: Base de données de détails Exposed 49 Millions d'utilisateurs Instagram

The vulnerability was reported to Facebook but it took some time for Facebook’s security team to reproduce the issue as the information in the researcher’s report was not enough. Cependant, la preuve de concept video convinced them that “the attack is feasible".

avatar

Milena Dimitrova

Un écrivain inspiré et gestionnaire de contenu qui a été avec SensorsTechForum pour 4 ans. Bénéficie d' « M.. Robot » et les craintes de 1984 '. Axé sur la vie privée des utilisateurs et le développement des logiciels malveillants, elle croit fermement dans un monde où la cybersécurité joue un rôle central. Si le bon sens n'a pas de sens, elle sera là pour prendre des notes. Ces notes peuvent se tourner plus tard dans les articles!

Plus de messages

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont marqués *

Délai est épuisé. S'il vous plaît recharger CAPTCHA.

Partager sur Facebook Partager
Loading ...
Partager sur Twitter Tweet
Loading ...
Partager sur Google Plus Partager
Loading ...
Partager sur Linkedin Partager
Loading ...
Partager sur Digg Partager
Partager sur Reddit Partager
Loading ...
Partager sur Stumbleupon Partager
Loading ...