Last month, a Chennai-based techie made news for receiving USD 30,000 from Facebook for spotting a major security flaw. Laxman Muthiyah demonstrated how multiple Instagram accounts could be hacked within minutes. The youngster submitted his findings to the company and was rewarded. A little over a month later, he is in the news again for winning USD 10,000 thanks to hunting a bug on the same platform. An avid cyber security buff, Laxman works in Chennai consulting on information security, web and software development.
“Both times I demonstrated account takeovers, that is, how you can hack someone’s Instagram account without their permission. The first time, I showed that one can target a specific account and hack it. Second time around, I showed that one can target a list of accounts. This time the reward was less because the success rate of the second method is less,” he laughs.
Elaborating on this, he says that the bug – which has since been fixed – could affect many users depending on the resources one employs. “When you forget your Instagram password, there is a forgot password feature. When you enter your mobile number, you will be sent a security code. When you enter the code, you can get your account back. When you request such a password, Instagram generates a random device ID corresponding to your ID and mobile. Only with that will you get your security code. When one enters the security code, the device ID will also be identified on Instagram’s servers (a unique pairing). I showed that this was not unique and that multiple security codes were issued for the same device ID. There is at least a 10% chance of successful hacking due to this,” he explains.
Laxman is something of a veteran at bug bounty programmes, which are platforms where tech companies welcome users to find security vulnerabilities. With ethical guidelines and the promise of rewards, these programmes make it easier for companies to address issues after bounty hunters demonstrate flaws. Laxman has been a security geek from the time he attended a workshop in 2013 which sparked his interest in hunting for bugs.
He adds, “I feel proud. Programmes like this are rare in India but appreciated in foreign countries so it feels good. At the same time, as opposed to just giving out rewards, they conduct events where we are invited for activities like live-hacking, etc. It’s a great opportunity to learn about new features. We are allowed access to test it.”