Facebook fixed two glaring security issues on Instagram that allowed attackers to carry out brute-force attacks and take over user accounts without too many difficulties.
Belgian security researcher Arne Swinnen discovered both issues, one that affected Instagram's Android login form, and another one that affected Instagram's Web-based registration system.
The researcher says that both brute-force attack issues were exploitable due to Instagram's lackadaisical password policy, the fact that it still uses incremental user IDs, and because it lacked proper rate limiting protection.
Brute-force attack against Instagram's Android app
Swinnen discovered this first scenario in which he could carry out brute-force attacks at the end of December.
The researcher found that he could send at least 1,000 login attempts to an authentication endpoint used by the mobile app and receive reliable replies. After this, he says that some sort of rate limiting intervened and provided "username not found" responses.
