This article is about an account takeover vulnerability I found on Instagram that allows anyone to hack Instagram accounts without consent permission. Facebook and Instagram security team fixed the issue and rewarded me $10000 as a part of their bounty program.
Last month, I published a write-up on Instagram account takeover vulnerability where I was able to hack any Instagram with in 10 minutes. This is also a similar vulnerability with less severity.
As you can see in my previous post, device ID is the unique identifier used by Instagram server to validate password reset codes. When a user requests a pass code using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the pass code.
Verify pass code
POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1
User-Agent: Instagram 126.96.36.199.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)
Accept-Language: en-IN, en-US
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Device ID is random string generated by Instagram application. So what if the same device ID is used to request pass codes of multiple Instagram accounts? I checked it and realized that same device ID can be used to request multiple pass codes of different users.
What’s the hack?
There are one million probabilities for a 6 digit pass code (000001 to 999999). When we request passcodes of multiple users, we are increasing the probability of hacking accounts. For example, if you request pass code of 100 thousand users using same device ID, you can have 10 percent success rate since 100k codes are issued to the same device ID. If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.
Therefore, an attacker should request codes of 1 million users to complete the attack with 100 percent success rate. We should also note the 10 minutes expiry of the code, so the entire attack should happen within 10 minutes.
Now the issue is resolved by Facebook security team and we cannot hack Instagram accounts using this vulnerability.
After the patch
I thank Facebook security team for rewarding me through their bug bounty program. Let me know your thoughts in comments
Reddit account: https://www.reddit.com/user/laxmanmuthiyah/