This article is about an account takeover vulnerability I found on Instagram that allows anyone to hack Instagram accounts without consent permission. Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty program. 

Last month, I published a write-up on Instagram account takeover vulnerability where I was able to hack any Instagram with in 10 minutes. This is also a similar vulnerability with less severity.

As you can see in my previous post, device ID is the unique identifier used by Instagram server to validate password reset codes. When a user requests a pass code using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the pass code.

Verify pass code

POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1
User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)
Accept-Language: en-IN, en-US
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Host: i.instagram.com
Connection: keep-alive

recover_code=123456&device_id=device-id

Device ID is random string generated by Instagram application. So what if the same device ID is used to request pass codes of multiple Instagram accounts? I checked it and realized that same device ID can be used to request multiple pass codes of different users.

What’s the hack?

There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts. For example, if you request pass code of 100 thousand users using same device ID, you can have 10 percent success rate since 100k codes are issued to the same device ID.  If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.

Therefore, an attacker should request codes of 1 million users to complete the attack with 100 percent success rate. We should also note the 10 minutes expiry of the code, so the entire attack should happen within 10 minutes.

Now the issue is resolved by Facebook security team and we cannot hack Instagram accounts using this vulnerability.

After the patch

10k bounty facbook

I thank Facebook security team for rewarding me through their bug bounty program. Let me know your thoughts in comments 🙂

SHARE
Previous articleHow I Could Have Hacked Any Instagram Account
This is the place where I write about things that I have explored. I hope you enjoy your stay!