"Feature" Instagram

In 2020, even if an attacker got into your social network account, it is frustrating, but not critical. After all, we have two-factor authentication for many important actions, and the attacker does not have access to mail / phone and he cannot steal an account. Is that so? No.



This is not the case with Instagram, a social network used by 1 billion users (⅛ of the world's population). And they refused to fix it. In this article, I will tell you about a logical vulnerability that can allow you to hijack a person's account until he contacts those. support.



Interesting? Welcome under the cut!

Change email and phone number

So, the attacker somehow entered your Instagram account in the app or web version. Perhaps he just found out your username and password, or maybe you forgot to log out on a public computer, this is not so important. By default, two-factor authentication is disabled for everyone.

Can he do something like that to take over your account for a long time? Yes, maybe that's just the problem.

At night, around 3-4 in the morning, when you are most likely sleeping, he deletes the associated phone number. 

• Do I need phone confirmation? There is no need. 

  
  
  
  
  

• Will an SMS come to the phone number? No, it will not come.

  
  
  
  
  

• Will a push notification arrive in the app? No, it will not arrive.

  
  
  
  
  

A couple of clicks and the phone number is no longer linked, you will be notified only by mail, you will most likely see it only in the morning. Then email, change it too.

• email? , . 

  
  
  
  
  

• Push- ? , .

  
  
  
  
  

email , — email . , .

“secure your account here” (https://instagram.com/accounts/disavow). email , . , . ? , .

Account Takeover

, . :

• “victim@example.com” - , .

  
  
  
  
  

• "evil1@anyserver.com” - .

  
  
  
  
  

• “evil2@anyserver.com” - .

  
  
  
  
  

:

1. victim@example.com evil1@anyserver.com.

   
   
   
   
   

2. evil1@anyserver.com.

   
   
   
   
   

3. evil1@anyserver.com evil2@anyserver.com.

   
   
   
   
   

4. evil2@anyserver.com.

   
   
   
   
   

5.   “secure your account here” (“https://instagram.com/accounts/disavow/**) “evil1@anyserver.com” 1, .

   
   
   
   
   

?! , 1-5 , . , , !

3 , .   “secure your account here“. , . . , email , .

, :

1. email email/.

   
   
   
   
   

2. email, .

   
   
   
   
   

:

1. / .

   
   
   
   
   

Facebook/Instagram

“ - . , , , . , - .”

• , ?

  
  
  
  
  

• -, - ?

  
  
  
  
  

, , . "" , =)