Today, even if an attacker gets into your social network account, it is unpleasant, but not critical. After all, most platforms use two-factor authentication and if the attacker does not have access to your email or phone, the account cannot be hijacked. Is that so?
No, this is not the case with Instagram, a social network used by 1 billion users (⅛ of the world’s population). And they refuse to fix it. In this article, we will tell you about a logical vulnerability that can allow anyone to hijack a person’s account until they contact Instagram support.
Table of Contents
Email and phone number change on Instagram
So, the attacker has somehow logged into your Instagram account in the app or web version. Perhaps he just found out your username and password, or maybe you forgot to log out on a public computer, this is not so important. By default, two-factor authentication is disabled for everyone.
Can he arrange something to take over your account for a long time? Yes, maybe that’s just the problem.
At night, around 3-4 in the morning, when you are most likely sleeping, he deletes the phone number associated with your account.
Do I need to confirm this operation? There is no need.
Will an SMS notification come to my phone number? No, it will not.
Will a push notification arrive in the app? No, it will not arrive.
After a couple of clicks and the phone number is no longer linked, you will only be notified by email and you will most likely see it only in the morning. Then email, which hackers can change too.
Do you need to confirm this action using the old email address? There is no need.
Will a push notification arrive in the app? No, it will not arrive.
All that remains is to confirm the new email using the link, what the attacker will do – and the email is changed. And you will be notified of this only by email, which you will most likely see only in the morning.
In this email regarding changes to your account, you will receive a return link to “secure your account here” (https://instagram.com/accounts/disavow). This will allow you to easily restore your old email and phone number connected to the account. This is the ONLY account hijacking protection mechanism, but it works. Is it possible to bypass it? Yes, it is.
Instagram account takeover
To gain control of an account and prevent the owner from getting it back, you just need to prevent the original owner from using return links. In the following example we will use these sample emails:
“[email protected]” is the email address of the original account owner.
“[email protected]” – the attacker’s first email address.
“[email protected]” the attacker’s second email address.
Attackers can through the following steps:
- The hacker removes the victim’s phone number from the account and changes the mail from [email protected] to [email protected].
- The hacker confirms the mail to [email protected].
- The hacker changes the mail from [email protected] to [email protected].
- The hacker confirms the mail to [email protected].
- The hacker clicks on the return link “secure your account here” (“https://instagram.com/accounts/disavow/**) to “[email protected]”and restores the account settings to use this email in the Instagram account while changing and password.
The hacker can then repeat steps 1-5 several more times. The process is very simple to do and there aren’t even any captchas to prevent this from being automated.
In our tests, repeating all the steps 3 times was enough for ALL return links in ALL emails to stop working. Using them several times in a short period of time will block the “secure your account here” return function. An attacker can also automatically repeat the steps to extend this block. This makes it impossible to recover the account without contacting customer support because none of the recovery links will work and the original owner of the account no longer has access to it even when using a device that was previously signed into the account.
Solutions to this Instagram hack
There are many solutions to this problem that Instagram could implement, for instance:
Ask account owners to confirm the action when changing the phone number or email by sending a code to the old phone number/email.
Block return links only in specific emails, not all.
Desirable:
Notify about changes in the account in the application and/or via SMS.
Facebook/Instagram reaction to this vulnerability being exposed
“As part of the exploitation of the problem you described, someone must take control of a user’s device and put that device in an unlocked and authenticated state. This is a very high barrier to entry and seems unlikely to happen normally, which makes this attack more theoretical. You can protect your profile by preventing anyone from stealing and unlocking your device. ”
Despite what the reply suggests, this vulnerability can easily be exploited if someone forgets to log out of their account after using a public PC, so even though the social media network refuses to acknowledge the issue, you can be informed and keep your account safe.
Original source link: https://habr.com/ru/post/532710/
