Bypassing Instagram Email Verification System

18 Mar 2015

Description

It is similar to the Oculus Email Verification Bypass vulnerability I reported except that it is only involved of changing attacker’s own email address for a couple of times and generating a new secret-token to the attacker’s own email inbox.

Yeah, and some Base-64 magics too. (not anything exciting!)

Next step is to change the email address to target’s email address. It sends a verification token to his account, which the attacker can’t access.

But attacker then uses initially generated tokens to successfully verify target’s email address on his Instagram account.

What’s less exciting about this bug comparing to the previous one is that it only allowed to use someone’s email address to create an Instagram account and verify it which definitely annoys the target, but never causes any harm in depth. Yet, Facebook rewarded this bug with a generous bounty.

 
Report sent : 22 Feb 2015 
Escalation : Never notified
Fix : 17 March 2015 
Bounty awarded : 18 March 2015

Hope you enjoyed reading it!

PageFault

Bypassing Instagram Email Verification System

Description

Related Posts

Leaking access tokens from Microsoft apps chaining two vulnerabilities 12 Dec 2018

Unvalidated URL Redirect - Facebook Bug Bounty 12 Jan 2017

Leaking Facebook appsecret_proof - Private Bounty 12 Nov 2016