An independent researcher earned a $30,000 bug bounty after discovering a weakness in the mobile recovery process.
The researcher discovered a weakness in the Instagram mobile recovery process that would allow account takeover for any user, via mass brute-force campaigns.
Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes
Read here the full story on ThreatPost: https://threatpost.com/researcher-bypasses-instagram-2fa/146466/