Last week was rich on negative news, concerning Instagram’s security. It was not in any way linked to a previous bug detection by a Finnish schoolboy, but the possible outcome of it was probably even worse.
Belgian bug hunter Arne Swinnen has discovered a way to brute-force Instagram passwords, which allowed him to take control of user accounts with very little effort.
During May 2016 this same researcher has found 2 major vulnerabilities, allowing to get access to any, even a very high-profile accounts. His first discovery was linked to web-based registration, the second to Instagram’s login API, but both used brute force to take over the accounts.
The issues were thought to be linked to Instagram’s poor password requirements as well as it’s almost non-existent limit on login attempts. Bug hunter was rewarded with a bounty of $5,000 for both vulnerabilities, and Facebook has toughened the password requirements, now accepting only the ones containing letters, numbers, and punctuation.
Instagram’s improvements of web-interface may open even more ways to exploit the medium, but Facebook’s rational policy of awarding the bug-hunters starts to gain traction, as large bounties motivate the hackers to report the issues, not to take advantage of them.