Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram
Transcript of Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram
![Page 1: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/1.jpg)
THE TALES OF A BUG BOUNTY HUNTER:
10 INTERESTING VULNERABILITIES IN
ARNE SWINNEN
@ARNESWINNEN
HTTPS://WWW.ARNESWINNEN.NET
![Page 2: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/2.jpg)
• Arne Swinnen from Belgium, 26 years old
• IT Security Consultant since 2012
• Companies I have directly worked for:
WHOAMI
2
Currently Past
One packer to rule them all Cyber Security Challenge
Belgium
![Page 3: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/3.jpg)
AGENDA
• Introduction
• Setup
• Man-in-the-Middle
• Signature Key Phishing
• APK Decompilation
• Vulnerabilities
• Infrastructure: 2
• Web: 2
• Hybrid: 4
• Mobile: 2
• Conclusion
• Q&A
3
![Page 4: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/4.jpg)
INTRO
4
![Page 5: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/5.jpg)
INTRODUCTION
5
Motivation
• Intention since 2012
• CTF-like, with rewards
• Write-ups
Timing
• Since April 2015
• Time spent: +-6 weeks
• Vacations sacrificed
![Page 6: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/6.jpg)
INTRODUCTION
• “Facebook for Mobile Pictures”: iOS & Android Apps, Web
• 400+ Million Monthly Active Users in September 2015
• Included in Facebook’s Bug Bounty Program
6
![Page 7: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/7.jpg)
INTRODUCTION
7
Private account Public account
![Page 8: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/8.jpg)
SETUP
8
![Page 9: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/9.jpg)
MAN-IN-THE-MIDDLE
9
![Page 10: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/10.jpg)
MAN-IN-THE-MIDDLE
10
![Page 11: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/11.jpg)
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings
11
![Page 12: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/12.jpg)
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings (ctd.)
Instagram v6.18.0
25/03/2015
12
![Page 13: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/13.jpg)
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings (ctd.)
Instagram v6.18.0
25/03/2015
13
![Page 14: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/14.jpg)
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point
Personal Android device
USB Tethering ONPersonal Macbook Pro
Internet Sharing via WiFi ON
Android Test Device
Connected to Ad-hoc Network14
![Page 15: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/15.jpg)
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
![Page 16: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/16.jpg)
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v6.18.0
25/03/2015
16
![Page 17: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/17.jpg)
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v6.18.0
25/03/2015
17
![Page 18: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/18.jpg)
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v7.10.0
05/11/2015
18
![Page 19: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/19.jpg)
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v7.10.0
05/11/2015
19
![Page 20: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/20.jpg)
MAN-IN-THE-MIDDLE
• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning
20
![Page 21: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/21.jpg)
MAN-IN-THE-MIDDLE
• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning
21
![Page 22: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/22.jpg)
MAN-IN-THE-MIDDLE
• Attempt 4: Ad-hoc WiFi AP & Smali Bypass
22
![Page 23: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/23.jpg)
MAN-IN-THE-MIDDLE
• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)
23
![Page 24: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/24.jpg)
MAN-IN-THE-MIDDLE
• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)
24
![Page 25: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/25.jpg)
SIGNATURE KEY PHISHING
25
![Page 26: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/26.jpg)
signed_body=
0df7827209d895b1478a35a1882a9e1c8
7d3ba114cf8b1f603494b08b5d093b1.
{"_csrftoken":"423d22c063a801f468f2
1d449ed8a103","username":"abc","gu
id":"b0644495-5663-4917-b889-
156f95b7f610","device_id":"android-
f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}
SIGNATURE KEY PHISHING
26
HMAC
SHA256
![Page 27: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/27.jpg)
signed_body=
0df7827209d895b1478a35a1882a9e1c8
7d3ba114cf8b1f603494b08b5d093b1.
{"_csrftoken":"423d22c063a801f468f2
1d449ed8a103","username":"abc","gu
id":"b0644495-5663-4917-b889-
156f95b7f610","device_id":"android-
f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}
SIGNATURE KEY PHISHING
27
HMAC
SHA256
![Page 28: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/28.jpg)
SIGNATURE KEY PHISHING
28
![Page 29: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/29.jpg)
SIGNATURE KEY PHISHING
HMAC
SHA256
Key
29
![Page 30: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/30.jpg)
SIGNATURE KEY PHISHING
30
![Page 31: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/31.jpg)
SIGNATURE KEY PHISHING
c1c7d84501d2f0df05c378f5efb9120909ecfb39dff5494aa361ec0deadb509a
Source: http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/
31
![Page 32: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/32.jpg)
SIGNATURE KEY PHISHING
32
![Page 33: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/33.jpg)
SIGNATURE KEY PHISHING
33
![Page 34: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/34.jpg)
SIGNATURE KEY PHISHING
34
![Page 35: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/35.jpg)
SIGNATURE KEY PHISHING
35
![Page 36: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/36.jpg)
SIGNATURE KEY PHISHING
36
![Page 37: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/37.jpg)
SIGNATURE KEY PHISHING
37
![Page 38: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/38.jpg)
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
?
38
![Page 39: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/39.jpg)
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
grep -roE \'"[^":\. ]+/[^":\. ]*"\‘
39
![Page 40: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/40.jpg)
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
40
![Page 41: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/41.jpg)
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
3. Test old (legacy code) & monitor new endpoints (fresh code)
41
![Page 42: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/42.jpg)
VULNERABILITIES
42
![Page 43: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/43.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
43
# python subbrute.py instagram.com
![Page 44: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/44.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
44
# python subbrute.py instagram.com
instagram.com
www.instagram.com
blog.instagram.com
i.instagram.com
admin.instagram.com
mail.instagram.com
support.instagram.com
help.instagram.com
platform.instagram.com
api.instagram.com
business.instagram.com
bp.instagram.com
graphite.instagram.com
...
![Page 45: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/45.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
45
![Page 46: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/46.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
46
![Page 47: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/47.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
47
![Page 48: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/48.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
48
How to exploit?
![Page 49: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/49.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver of
http://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
and serve login page of https://www.instagram.com
c) Hope that the victim provides credentials
49
![Page 50: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/50.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
50
Local network
access
Social
Engineering
![Page 51: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/51.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
51
Local network
access
Social
Engineering
![Page 52: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/52.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
52
Domain=instagram.com httponly
![Page 53: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/53.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
53
![Page 54: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/54.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver of
http://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
while being authenticated to https://www.instagram.com
c) Copy session cookie & hijack session
54
![Page 55: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/55.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
55
Local network
access
Social
Engineering
![Page 56: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/56.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
56
Thank you for your reply. This issue has been discussed at great lengths with the
Facebook Security Team and while this behavior may be changed at some point
in the future, it is not eligible for the bug bounty program. Although this issue
does not qualify we appreciate your report and will follow up with you on any
security bugs or with any further questions we may have.
Thanks and good luck with future bug hunting!
![Page 57: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/57.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
57
Thank you for your reply. This issue has been discussed at great lengths with the
Facebook Security Team and while this behavior may be changed at some point
in the future, it is not eligible for the bug bounty program. Although this issue
does not qualify we appreciate your report and will follow up with you on any
security bugs or with any further questions we may have.
Thanks and good luck with future bug hunting!
![Page 58: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/58.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
58
![Page 59: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/59.jpg)
INFRASTRUCTURE
59Source: https://exfiltrated.com/research-Instagram-RCE.php
![Page 60: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/60.jpg)
INFRASTRUCTURE
60Source: https://exfiltrated.com/research-Instagram-RCE.php
![Page 61: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/61.jpg)
INFRASTRUCTURE
61$2500
Source: https://exfiltrated.com/research-Instagram-RCE.php
![Page 62: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/62.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
62
![Page 63: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/63.jpg)
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
63
Subdomains
resolve to
local IPs 10.*
Session
cookie
scoped to all
subdomains
![Page 64: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/64.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
64
![Page 65: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/65.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
65
![Page 66: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/66.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
66
![Page 67: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/67.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
67
![Page 68: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/68.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
68
![Page 69: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/69.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
69
Thank you for your patience here. After discussions with the product team and
the security team, we have determined that this report does not pose a
significant risk to user security and/or privacy. As such, this report is not eligible
for our bug bounty program.
![Page 70: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/70.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
70
Thank you for your patience here. After discussions with the product team and
the security team, we have determined that this report does not pose a
significant risk to user security and/or privacy. As such, this report is not eligible
for our bug bounty program.
![Page 71: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/71.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
71
![Page 72: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/72.jpg)
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
72
![Page 73: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/73.jpg)
WEB
3. Public Profile Tabnabbing
73
![Page 74: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/74.jpg)
WEB
3. Public Profile Tabnabbing
74
![Page 75: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/75.jpg)
WEB
3. Public Profile Tabnabbing
75
![Page 76: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/76.jpg)
WEB
3. Public Profile Tabnabbing
76
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-
window-opener-location-replace/
We have previously been made aware of this issue and are in the process of
investigating it. Thank you for submitting it to us. Please send along any
additional security issues you encounter.
![Page 77: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/77.jpg)
WEB
3. Public Profile Tabnabbing
77
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-
window-opener-location-replace/
We have previously been made aware of this issue and are in the process of
investigating it. Thank you for submitting it to us. Please send along any
additional security issues you encounter.
![Page 78: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/78.jpg)
WEB
3. Public Profile Tabnabbing
78
![Page 79: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/79.jpg)
WEB
3. Public Profile Tabnabbing
79
![Page 80: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/80.jpg)
WEB
4. Web Server Directory Enumeration
80https://instagram.com
![Page 81: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/81.jpg)
WEB
4. Web Server Directory Enumeration
81https://instagram.com/?hl=en
![Page 82: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/82.jpg)
WEB
4. Web Server Directory Enumeration
82https://instagram.com/?hl=./en
![Page 83: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/83.jpg)
WEB
4. Web Server Directory Enumeration
83
![Page 84: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/84.jpg)
WEB
4. Web Server Directory Enumeration
84
![Page 85: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/85.jpg)
WEB
4. Web Server Directory Enumeration
85https://instagram.com/?hl=../locale/en
![Page 86: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/86.jpg)
WEB
4. Web Server Directory Enumeration
86https://instagram.com/?hl=../LOCALE/EN
![Page 87: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/87.jpg)
WEB
4. Web Server Directory Enumeration
87https://instagram.com/?hl=../wrong/en
![Page 88: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/88.jpg)
WEB
4. Web Server Directory Enumeration
88
![Page 89: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/89.jpg)
WEB
4. Web Server Directory Enumeration
89
42 hits for
../<GUESS>/../locale/nl/
![Page 90: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/90.jpg)
WEB
4. Web Server Directory Enumeration
90
Thank you for sharing this information with us. Although this issue does not
qualify as a part of our bounty program we appreciate your report. We will
follow up with you on any security bugs or with any further questions we may
have.
![Page 91: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/91.jpg)
WEB
4. Web Server Directory Enumeration
91
Thank you for sharing this information with us. Although this issue does not
qualify as a part of our bounty program we appreciate your report. We will
follow up with you on any security bugs or with any further questions we may
have.
![Page 92: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/92.jpg)
WEB
4. Web Server Directory Enumeration
92
My apologies on my previous reply, it was intended for another report.
…
After reviewing the issue you have reported, we have decided to award you a
bounty of $500 USD.
![Page 93: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/93.jpg)
WEB
4. Web Server Directory Enumeration
93
My apologies on my previous reply, it was intended for another report.
…
After reviewing the issue you have reported, we have decided to award you a
bounty of $500 USD.
![Page 94: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/94.jpg)
WEB
4. Web Server Directory Enumeration
94
There is one thing I'd like to add here. I have not tested this attack for obvious
reasons, but wouldn't the following request have resulted in a Denial of Service
attack?:
https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/random%00
https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/urandom%00
31/08/2015
Application
DDOS
![Page 95: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/95.jpg)
WEB
4. Web Server Directory Enumeration
95
Have you already found some time to consider my last response?
18/10/2015
![Page 96: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/96.jpg)
WEB
4. Web Server Directory Enumeration
96
Thanks for being patient. When we considered the initial report, we had already
accounted for the possibility of reading files such as /dev/random and
/dev/urandom, and the reward is still $500. The act of reading those files does
not significantly affect our infra-structure too much as we have systems in place
to deal with unresponsive servers.
29/12/2015
![Page 97: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/97.jpg)
WEB
4. Web Server Directory Enumeration
97
Thanks for being patient. When we considered the initial report, we had already
accounted for the possibility of reading files such as /dev/random and
/dev/urandom, and the reward is still $500. The act of reading those files does
not significantly affect our infra-structure too much as we have systems in place
to deal with unresponsive servers.
29/12/2015
![Page 98: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/98.jpg)
WEB
4. Web Server Directory Enumeration
98
![Page 99: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/99.jpg)
WEB
4. Web Server Directory Enumeration
99
![Page 100: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/100.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
100
{
"status": "ok",
"media": {
"organic_tracking_token":
"eyJ2ZXJzaW9uIjozLCJwYXlsb2FkIjp7ImlzX2FuYWx5dGljc190cmFja2VkIjpmYWx
zZSwidXVpZCI6IjYxNGMwYzk1MDRlNDRkMWU4YmI3ODlhZTY3MzUxZjNlIn0sIn
NpZ25hdHVyZSI6IiJ9",
"client_cache_key": "MTExODI1MTg5MjE1NDQ4MTc3MQ==.2",
"code": "-E1CvRRrxr",
(...SNIP...)
"media_type": 1,
"pk": 1118251892154481771,
"original_width": 1080,
"has_liked": false,
"id": "1118251892154481771_2036044526"
},
"upload_id": "1447526029474"
}
![Page 101: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/101.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
101
Private
account
![Page 102: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/102.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
102
Private
account
![Page 103: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/103.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
103
Private
account
![Page 104: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/104.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
104
GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1
Host: i.instagram.com
HTTP/1.1 200 OK
(…SNIP…)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
![Page 105: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/105.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
105
Private
account
![Page 106: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/106.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
106
@Kevin
Pk: 3
@MikeyK
Pk: 4
@BritneySpears
Pk: 12246775
@msvigdis
Pk: 122467761pJ1DhgBD- 159sxaABXG 16jJhVG8HU iV93JDG8Ue
1kHzf_gBLp 1onIDogBf3 1yFoqcm8D9 XMUVDFm8X8
0-pshJgBAg 0yi-hjgBaE 1tejnLm8Co VuWAQam8Xv
09pY_OgBPX 0k_oZWABSU 1r59lSm8GX Vj81GHm8W9
0l1GTXABDo 0gboKEgBYr 1qrMPRG8AB UEoTBAG8Sy
0k_apGABDm 0UDrVFgBVJ 1ghW7RG8B2 TfpmTGm8QP
0f5P_6ABOe z-maEDgBWK 1T3KHhm8N2 TWbKzfm8f-
0GEiJKABAC z5HB2BgBbj 1Q2H_WG8LX TVOOKEm8To
0BuHO9ABOx zxeRSGgBaL 1OywdMm8Lf TThPzXm8cm
z-9x5aABEq zSqgd5ABco 1H2JvGG8DL TS3Swlm8dZ
z8QVuXABD6 zQ6VkUABdH 08dtcTG8Hb TOtd3tm8Ve
z4vsirABO4 zJDzvRgBbR 00exOYm8Br TOfRfAm8aZ
z2KV0OgBIE zBrTlsABXv 0yXTU6m8MN TJikVLm8W9
![Page 107: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/107.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
107
![Page 108: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/108.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
108
Private victim account
(monitored by attacker)
Public attacker account
(generated right after monitor hit)1yCwjTJRnk 1yCwodpTlC
1yC05mJRnq 1yC0_ApTlL
1yC5PqpRnu 1yC5UopTlX
1yC9nTJRnw 1yC9repTlk
1yDGULpRn9 1yDGaDpTl1
1yDKrvpRoB 1yDKvtJTl8
1yDPCCpRoI 1yDPHVpTl_
1yDTZGpRoO 1yDTdvpTmH
1yDXxRpRoW 1yDX1fJTmP
1yDgdBpRol 1yDgj6JTmb
1yDk1qpRop 1yDk6ypTme
1yD6mjpRpT 1yD6sCpTnL
1yEDSqpRpn 1yEDXYJTnU
1yEHpNJRpt 1yEHuTpTnc
1yEQWTpRqD 1yEQb3pTnw
1yEUtCJRqL 1yEUyJJTn5
1yEZEKJRqU 1yEZI3pToI
1yEdaxpRqe 1yEdfEpToO
![Page 109: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/109.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
• These tokens represent identifiers based on the following alphabet: A-Za-z0-9_- (64 characters in total)
• The first 6 characters are global, incremental identifiers
• The 7th character only differs between 2 possibilities and is based on the “Pk” of each user
• The 8th character is constant per user and is also based on the “Pk” of each user
• The 9th and 10th character are user-specific incremental identifiers with the same alphabet as the global identifier (see above)
109
![Page 110: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/110.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
• These tokens represent identifiers based on the following alphabet: A-Za-z0-9_- (64 characters in total)
• The first 6 characters are global, incremental identifiers
• The 7th character only differs between 2 possibilities and is based on the “Pk” of each user
• The 8th character is constant per user and is also based on the “Pk” of each user
• The 9th and 10th character are user-specific incremental identifiers with the same alphabet as the global identifier (see above)
110
![Page 111: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/111.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Entropy: 64^6 = 68.719.476.736 possibilities
• The 7th character only differs between 2 possibilities and is
based on the “Pk” of each user
• The 8th character is constant per user and is also based on the
“Pk” of each user
Final entropy: 2 * 64^4 = 33.554.432 possibilities
Feasible!
111
![Page 112: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/112.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
112
After reviewing the issue you have reported, we have decided to award you a
bounty of $1000 USD.
![Page 113: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/113.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
113
![Page 114: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/114.jpg)
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
114
![Page 115: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/115.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
115
GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1
Host: i.instagram.com
User-Agent: Instagram 7.10.0 Android (19/4.4.4; 320dpi; 768x1184; LGE/google;
Nexus 4; mako; mako; en_US)
Cookie:
sessionid=IGSC0098a4bee11b593953fd4a3fe0695560f407a103d8eef9f5be083ff2
1e186673:PEVejQeSkS2p8WYxAEgtyUWdXz9STvKM:{"_token_ver":1,"_auth_us
er_id":2036044526,"_token":"2036044526:7DcRpg1d0ve5T0NkbToN5yVleZUh0Ifh
:571e05df8ecd8de2efc47dca5f222720233234f6f0511fb20e0ad42c1302ea27","_au
th_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last_refre
shed":1447525940.04528,"_platform":1}
HTTP/1.1 200 OK
(…SNIP…)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
![Page 116: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/116.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
116
GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1
Host: i.instagram.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Cookie:
sessionid=IGSCffa96a73743adba6c93194ae05041159e0cf6ede2627ae3735c3aa
9079cfe853:EasK95PNVAy5CUCA8RnhXrFsCy6I6S5R:{"_token_ver":1,"_auth_us
er_id":2036044526,"_token":"2036044526:QTKFc7soS0BHa61aqjAmoqLQ3B3hD
kLd:d567a7909eb6db0bc766c5f1f168ae2c5e3086aae93c67273cda175933d96162
","_auth_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last
_refreshed":1447628626.205864,"_platform":4}
HTTP/1.1 200 OK
(…SNIP…)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
![Page 117: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/117.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
117
CSRF
![Page 118: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/118.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
118
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
CSRF
![Page 119: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/119.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
Usertags Feed Authorization Bypass
119
![Page 120: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/120.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
120
![Page 121: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/121.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
121
After reviewing the issue you have reported, we have decided to award you a
bounty of $1000.
![Page 122: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/122.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
122
![Page 123: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/123.jpg)
WEB + MOBILE
6. Private Account Shared Pictures CSRF
123
GET
instead of
POST
CSRF
attack surface
![Page 124: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/124.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
124
![Page 125: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/125.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
125
![Page 126: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/126.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
126
![Page 127: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/127.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
127
![Page 128: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/128.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
128
![Page 129: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/129.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
129
After reviewing the issue you have reported, we have decided to award you a
bounty of $750 USD.
![Page 130: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/130.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
130
![Page 131: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/131.jpg)
WEB + MOBILE
7. Email Address Account Enumeration
131
![Page 132: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/132.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
132
![Page 133: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/133.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
133
Spot the difference
![Page 134: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/134.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
134
![Page 135: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/135.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
135
![Page 136: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/136.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
136
![Page 137: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/137.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
137
![Page 138: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/138.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
138
![Page 139: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/139.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
139
![Page 140: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/140.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
140
![Page 141: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/141.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
141
![Page 142: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/142.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
142
![Page 143: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/143.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
143
![Page 144: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/144.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
144
![Page 145: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/145.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
145
User Email address(es)
victim [email protected]
attacker [email protected]
![Page 146: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/146.jpg)
WEB + MOBILE
146
Scenario: Assume temporary access for an attacker to victim session
Man-in-the-Middle
(before SSL Pinning)
Physical access to
unlocked phone
Cross-site Scripting
Vulnerability
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 147: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/147.jpg)
WEB + MOBILE
147
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 148: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/148.jpg)
WEB + MOBILE
148
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 149: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/149.jpg)
WEB + MOBILE
149
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 150: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/150.jpg)
WEB + MOBILE
150
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 151: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/151.jpg)
WEB + MOBILE
151
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 152: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/152.jpg)
WEB + MOBILE
152
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 153: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/153.jpg)
WEB + MOBILE
153
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 154: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/154.jpg)
WEB + MOBILE
154
Attacker
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 155: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/155.jpg)
WEB + MOBILE
155
Victim Attacker
Email [email protected] [email protected]
Reclaim link https://instagram.com/accounts/disavow/xjo94i/
OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz
FAZ21haWwuY29t/
https://instagram.com/accounts/disavow/xjo94i/
TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
AZ21haWwuY29t/
Currently owns
victim account
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
![Page 156: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/156.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
156
Victim
![Page 157: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/157.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
157
Victim
![Page 158: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/158.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
158
Currently owns
victim account
Victim Attacker
Email [email protected] [email protected]
Reclaim link https://instagram.com/accounts/disavow/xjo94i/
OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz
FAZ21haWwuY29t/
https://instagram.com/accounts/disavow/xjo94i/
TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
AZ21haWwuY29t/
![Page 159: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/159.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
159
Attacker
![Page 160: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/160.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
160
Attacker
![Page 161: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/161.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
161
Wins!
Victim Attacker
Email [email protected] [email protected]
Reclaim link https://instagram.com/accounts/disavow/xjo94i/
OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz
FAZ21haWwuY29t/
https://instagram.com/accounts/disavow/xjo94i/
TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
AZ21haWwuY29t/
![Page 162: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/162.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
162
After reviewing the issue you have reported, we have decided to award you a
bounty of $2000 USD.
![Page 163: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/163.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
163
![Page 164: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/164.jpg)
WEB + MOBILE
8. Account Takeover via Change Email Functionality
164Mail to wrong
email address
Allow chaining of
“secure account”
links
![Page 165: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/165.jpg)
MOBILE
9. Private Account Users Following
165
![Page 166: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/166.jpg)
MOBILE
9. Private Account Users Following
166
![Page 167: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/167.jpg)
MOBILE
9. Private Account Users Following
167
GET /api/v1/discover/su_refill/?target_id=2036044526 HTTP/1.1
Host: i.instagram.com
Connection: Keep-Alive
Cookie:
sessionid=IGSCd064c22cd43d17a15dca6bc3a903cb18e8f9e292a859c9d1289ba26
8103ee563%3A1WJvjHstqAnPj0i5dcjVRpgcn3wCRQgk%3A%7B%22_token_ver%
22%3A1%2C%22_auth_user_id%22%3A2028428082%2C%22_token%22%3A%2
22028428082%3AYeZzCYWQLGD8D7d3NzFIbBiWlYJVVa7G%3A078ae8d72b728
46a6431945fd59c38f1b04b8f93dd6ec4b20165693e65b21915%22%2C%22_auth_u
ser_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22
%2C%22last_refreshed%22%3A1441031445.81182%2C%22_platform%22%3A1%
7D; ds_user=pentestingvictim
![Page 168: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/168.jpg)
MOBILE
9. Private Account Users Following
168
HTTP/1.1 200 OK
(…SNIP…)
{
"status": "ok",
"items": [
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "springsteen",
"has_anonymous_profile_picture": false,
"profile_pic_url": "http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-
xfa1\/t51.2885-19\/11370983_1020871741276370_1099684925_a.jpg",
"full_name": "Bruce Springsteen",
"pk": "517058514",
"is_verified": true,
"is_private": false
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": ["http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-xfa1\/t51.2885-
15\/s150x150\/e35\/11373935_872054516217170_419659415_n.jpg?"],
![Page 169: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/169.jpg)
MOBILE
9. Private Account Users Following
169
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "pentesttest",
"has_anonymous_profile_picture": true,
"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",
"full_name": "rest",
"pk": "1966431878",
"is_verified": false,
"is_private": true
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": [],
"large_urls": [],
"media_infos": [],
"media_ids": [],
"icon": ""
}]
}
![Page 170: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/170.jpg)
MOBILE
9. Private Account Users Following
170
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "pentesttest",
"has_anonymous_profile_picture": true,
"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",
"full_name": "rest",
"pk": "1966431878",
"is_verified": false,
"is_private": true
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": [],
"large_urls": [],
"media_infos": [],
"media_ids": [],
"icon": ""
}]
}
![Page 171: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/171.jpg)
MOBILE
9. Private Account Users Following
171
After reviewing the issue you have reported, we have decided to award you a
bounty of $2,500 USD.
![Page 172: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/172.jpg)
MOBILE
9. Private Account Users Following
172
![Page 173: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/173.jpg)
MOBILE
9. Private Account Users Following
173
![Page 174: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/174.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
174
![Page 175: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/175.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
175
![Page 176: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/176.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
176
![Page 177: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/177.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
177
![Page 178: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/178.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
178
![Page 179: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/179.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
179
![Page 180: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/180.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
180
![Page 181: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/181.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
181
This is intentional behavior in our product. We do not consider it a security
vulnerability, but we do have controls in place to monitor and mitigate abuse.
![Page 182: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/182.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
182
This is intentional behavior in our product. We do not consider it a security
vulnerability, but we do have controls in place to monitor and mitigate abuse.
![Page 183: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/183.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
183
This is intentional behavior in our product. We do not consider it a security
vulnerability, but we do have controls in place to monitor and mitigate abuse.
![Page 184: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/184.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
184
1 account 100 accounts
$2 / h $200 / h
$48 / day $4.800 / day
$1.440 / month $144.000 / month
![Page 185: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/185.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
185
Hello again! We'll be doing some fine-tuning of our rate limits and work on the
service used for outbound calls in response to this submission, so this issue will
be eligible for a whitehat bounty. You can expect an update from us again when
the changes have been made. Thanks!
...
After reviewing the issue you have reported, we have decided to award you a
bounty of $2000 USD.
![Page 186: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/186.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
186
![Page 187: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/187.jpg)
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
187
![Page 188: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/188.jpg)
CONCLUSION
188
![Page 189: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/189.jpg)
CONCLUSION
189
# Vulnerability Category Bounty
1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0
2 Employee Email Authentication Brute-Force Lockout Infrastructure $0
3 Public Profile Tabnabbing Web $0
4 Web Server Directory Enumeration Web $500
5 Private Account Shared Pictures Token Entropy Hybrid $1000
6 Private Account Shared Pictures CSRF Hybrid $1000
7 Email Address Account Enumeration Hybrid $750
8 Account Takeover via Change Email Functionality Hybrid $2000
9 Private Account Users Following Mobile $2500
10 Steal Money Through Premium Rate Phone Numbers Mobile $2000 + 1
Total $9750 + 1
![Page 190: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/190.jpg)
CONCLUSION
190
# Vulnerability Category Bounty
1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0
2 Employee Email Authentication Brute-Force Lockout Infrastructure $0
3 Public Profile Tabnabbing Web $0
4 Web Server Directory Enumeration Web $1000
5 Private Account Shared Pictures Token Entropy Hybrid $1000
6 Private Account Shared Pictures CSRF Hybrid $2000
7 Email Address Account Enumeration Hybrid $1500
8 Account Takeover via Change Email Functionality Hybrid $2000
9 Private Account Users Following Mobile $2500
10 Steal Money Through Premium Rate Phone Numbers Mobile $4000 + 1
Total $14000 + 1
https://www.letuschange.net
![Page 191: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/191.jpg)
CONCLUSION
191
46%
39%
15%
SDLC Mapping Summary
Development (6)
Design (5)
Maintenance (2)
![Page 192: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/192.jpg)
CONCLUSION
192#20/152
Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks
![Page 193: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/193.jpg)
CONCLUSION
193#3/13
Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks
![Page 194: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/194.jpg)
CONCLUSION
194
Hunting Reporting Disclosing
![Page 195: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/195.jpg)
CONCLUSION
195
# Vulnerability Category Bounty
11 XXXX Mobile ?
12 XXXX Mobile ?
13 XXXX Mobile ?
14 XXXX Web ?
15 XXXX Infrastructure ?
Total ?
![Page 196: Even Giants Make Mistakes: 10 Interesting vulnerabilities in Instagram](https://reader034.fdocuments.net/reader034/viewer/2022042707/589efa071a28ab244d8b9786/html5/thumbnails/196.jpg)
THANK YOU! ANY QUESTIONS?
196