A security researcher recently discovered a flaw in the way Instagram handled the validation of password reset codes. This defect means an attacker could request one million password reset codes within a ten-minute window and with 100% success.

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Eve Maler
Eve Maler , VP of Innovation & Emerging Technology
InfoSec Expert
August 28, 2019 12:43 pm

It is fortunate that a white hat hacker identified Instagram’s vulnerabilities before a malicious actor did. However long the vulnerability was left unpatched, hackers with malicious intentions could have exploited millions of Instagram accounts for their own personal gain, such as spreading spam, misinformation and propaganda or demanding a hefty price for the return of the accounts or account details to their rightful owners.

While the Facebook security team addressed the vulnerability upon notice, companies cannot solely rely on point-in-time testing by security researchers or IT personnel. Enterprises and organizations that manage large amounts of consumer data must utilize comprehensive security strategies that leverage real-time, contextual and continuous authentication and authorization management that identify anomalous behavior. Additionally, these real-time strategies must prompt further action for authentication, such as identity verification, when an unknown user is accessing a database of customer information, to put more barriers between threat actors and sensitive information.

Last edited 3 years ago by Eve Maler
Information Security Buzz
Would love your thoughts, please comment.x