Chennai-based security researcher Laxman Muthiyah has won $30,000 as a part of a bug bounty programme after he spotted a flaw in Facebook-owned photo-sharing app Instagram.
Muthiyah said the vulnerability allowed him to to “hack any Instagram account without consent permission.”
He discovered it was possible to take over someone’s Instagram account by triggering a password reset, requesting a recovery code, or quickly trying out possible recovery codes against the account.
“I reported the vulnerability to the Facebook security team and they were unable to reproduce it initially due to lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible,” Muthiyah wrote in a blog post this week.