An Indian origin researcher, Laxman Muthiyah, has discovered a bug in the popular social media platform Instagram, for which Facebook awarded him $30,000. The bug was such that the accounts could be hacked into by attempting different recovery codes for an account after initiating a password reset. “Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link-based password reset mechanism which is strong, and I couldn’t find any bugs after a few minutes of testing. Then switched to their mobile recovery flow, where I was able to find a susceptible behaviour,” Laxman Muthiyah wrote in his blog.
What are bug bounty programmes?
Bug bounty programmes, where white hat hackers inform companies of vulnerabilities for which they are rewarded, are nothing new, at least in the global arena. The bounty hunters test systems with the prior sanction of the organisations and disclose the presence of bugs. Some of these bugs could potentially compromise financial data, personal information or identity of billions of users. The first of its kind was introduced by Netscape in 1995. Mozilla (2004), Google (2010), Facebook (2011) and Microsoft (2013) followed suit, promising lucrative deals for hackers who could point out security flaws in their systems.
And, Indians dominate the sector. According to a 2016 report by US-based bug bounty aggregator Bugcrowd, Indians accounted for around 39 per cent of the bounty hunters globally, followed by the US (11.79 per cent). Facebook announced that, in 2016, Indians received the highest number of bounty payouts. It paid a total of $6,11,741 to 149 researchers in 2016. Indian companies are also in the fray. Paytm, MobiKwik and Ola have launched their bug bounty programmes.
Arun Suresh Kumar, 21, of Kollam in Kerala hogged the headlines when Facebook paid him $16,000 for reporting a bug in the website’s Business Manager tool. “Using the bug, I could have taken over any Facebook page,” he said. The final-year student of computer science, who was inducted into the Facebook Hall of Fame in 2016, is as worried about his exams and projects as any other student. Does the college interfere with his research? “Usually, they are mutually exclusive. It is only at night, I catch up on the latest developments in the field or coordinate with my counterparts in the US,” he said.