![]() Tried another 1000, now many of them got rate limited. I sent around 1000 requests, 250 of them went through and the rest 750 requests were rate limited. My tests did show the presence of rate limiting. But I was pretty sure that there must be some rate limiting against such brute-force attacks. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account. They have to enter it to change their password. When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. Then switched to their mobile recovery flow, where I was able to find a susceptible behavior. They have a link based password reset mechanism which is pretty strong and I couldn’t find any bugs after a few minutes of testing. I tried to reset my password on the Instagram web interface. Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. ![]() ![]() Fortunately, I was able to find one on Instagram. So I decided to try my luck on Facebook and Instagram. As a part of it, they recently increased reward payouts for all critical vulnerabilities including account takeovers. Facebook and Instagram security team fixed the issue and rewarded me $30000 as a part of their bounty program.įacebook is working constantly to improve its security controls on all of their platforms. This article is about how I found a vulnerability on Instagram that allowed me to hack any Instagram account without consent permission.
0 Comments
Leave a Reply. |