Facebook on Thursday patched a pair of vulnerabilities that enabled brute-force attacks against Instagram passwords, and also hardened its password policy.
Researcher Arne Swinnen privately disclosed the flaws in December and in February respectively. One bug was patched in February, while the other went through two rounds of fixes before the issue was resolved on May 10. Swinnen received a combined $5,000 bounty.
The severity of the vulnerabilities was exacerbated by Instagram’s weak password policies and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal effort, Swinnen said.
“This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones,” Swinnen wrote in a report describing details of both vulnerabilities.