Jul 22, 2019 07:00:00

Hackers reveal how to hack Instagram account

By

Luke van Zyl

White hacker Luxman Macya has released a technique that can be hacked with any person's Instagram account. In addition, Mr. Mashiya has notified Facebook, the operator of Instagram, and the vulnerability has already been corrected.

How I Could Have Hacked Any Instagram Account-The Zero Hack
https://thezerohack.com/hack-any-instagram#articlescroll

The vulnerability that Mr. Masya discovered was related to a password reset system. The Instagram password reset system uses a 6-digit verification code sent by SMS to a registered phone number. A filter function is provided to accept this authentication code, and even if multiple authentication codes are entered from the same IP, it will not accept more than a certain number.

However, Mr. Mashiya discovered a vulnerability in which the filter function was saturated and the signal became transparent when a large number of input signals with a 6-digit authentication code were sent to multiple Instagram simultaneously. By exploiting this vulnerability, we discovered that if all auth codes from '000000' to '999999' were brute force attacked, we could break through the password reset system and gain unauthorized access to any Instagram account.

If you read the following article, you can see that Facebook as of 2016 did not even have a filter function. After that, Facebook introduced the filter function in response to the indication, but the filter function was incomplete and was broken by Mr. Macya this time.

Vulnerability in resetting Facebook password, it turned out that full access to other people's account was possible-GIGAZINE

The movie that Mr. Mashiya actually broke through Instagram's password reset system is below.

How I Could Have Hacked Any Instagram Account | Proof of Concept-YouTube


IP addresses for hacking are lined up like this.

Click 'Go' and start a

custom script that runs on Burp Suite , a tool often used in vulnerability diagnosis ...

The correct authentication code turns out to be “834506”.

About 200,000 authentication codes other than the correct answer “834506” are all displayed as “wrong code”.

The authentication code “834506” is correct because it passed the server authentication.

According to Mashiya, preparing 1000 different IP addresses is easier with cloud services such as AWS and GCP, so this method is easier than you can imagine and the cost of hacking a single account is 150. The dollar (about 16,000 yen) will suffice. If you use this technique, you can hack any celebrity Instagram account, so $ 150 is quite cheap.

Facebook recognizes that Masya's method is effective. The vulnerability has been fixed and Mr. Masya has been awarded $ 30,000 (about 3.2 million yen) as a bounty.