
How I Could Have Hacked Any Instagram Account - Garbage
https://thezerohack.com/hack-any-instagram
======
GhostVII
Using a phone number for password reset seems like a terrible idea in general,
especially if you have SMS-based 2FA. Phone numbers are way to easy to social
engineer, and if your second factor can reset your first one, you don't have
2FA.

Also if I am reading it correctly, it sounds like the rate limiting was being
done per-IP, which sounds strange. Why wouldn't Instagram just allow a fixed
number of tries (some low limit, like 25) from any IP before invalidating the
code? I don't really see a scenario where it makes sense to have per-IP rate
limiting here. I guess they are probably just using the rate limiting features
which are built in to whatever framework Instagram is using for their API.

~~~
CPLX
> Also if I am reading it correctly, it sounds like the rate limiting was
> being done per-IP, which sounds strange.

Seems to me that the main mistake was not rate limiting _per account_ right?
If you get 200k password requests for a single user something is severely
wrong.

Or maybe they did and it didn't work, he makes reference to a race condition
in the original post but doesn't elaborate.

~~~
hwstack
He didn't really explain it, but I think what was going on is the rate
limiting is done per account, and the race condition was a way to circumvent
that. He has to make all the requests very quickly because the first thing all
the requests are doing is determining if new requests for this account should
be ignored. All the requests are received around the same time, they all make
this check and decide they are valid requests, then they all report that an
attempt was made for that account (locking it).

The rate limiting for IPs is probably global (not related to the reset
endpoint).

~~~
yardstick
I think you are dead on, yeah it’s the quick rate of large numbers of requests
that avoid the per-account rate limiting. Curious how they resolved this— run
all authentication requests for a given user serially and in a consolidated
fashion at some point. Exclusive lock the relevant db record before checking
the code and recording the failure?

~~~
chatmasta
Distributed rate limiting is hard. He could hit multiple front ends
simultaneously before they have a chance to catchup to the correct counts.

~~~
yardstick
Yeah it is hard. The enforcement would need to be done on a single backend.
Not all users need to have their auth done by the same specific backend, but
each user individually should always have their auth go to the same backend
(or same concurrency domain, if distributed locking applies to the
architecture).

------
someexgamedev
Is this reset mechanism conceptually flawed? Even with one attempt before
invalidating the code, you have a 1:999,999 shot of stealing someone's account
by lotto. Not bad odds for an automated process.

It's like every account on Instagram has an alternative six digit password.

~~~
floatingatoll
Sony was using 8 characters of alphanumeric at one point. They reduced it to 6
digits. It turns out that the chance of guessing six digits successfully given
one or two tries only is low enough to satisfy human beings when it comes to
“annoyance versus protection”, especially when codes expire after a couple
attempts.

~~~
throwaway66666
Problem with alphanumeric, is you have people from foreign countries who do
not even have an english keyboard installed on their phone. Default is
probably their native language and they do not care to add a secondary or
switch.

Numeric values solve that problem.

edit: drunk typing

~~~
kalleboo
Is that a thing? Domain names, email addresses, passwords all tend to require
the latin character set. Here in Japan I can't remember seeing a single site
that uses kanji passwords.

------
degenerate
I spot-checked some of those IPs in the video, and it appears all of them are
on Amazon. So, what does the attacker's stack look like? Is it a bunch of
servers running PHP and listening for a connection to run curl? Or Lambda
functions configured to proxy the connection attempt to IG? Curious how much
effort goes into setting up an attack like this. It's surprising (to me) that
so many IPs can be used for so little money.

~~~
stibba
I'm curious too, how would he set up so many machines that do the same thing?

~~~
shawabawa3
It's very easy to terraform 1000 nano machines on ec2, as he said it wouldn't
be expensive at all. In fact, he estimates $150, but for 1000 nano machines
for 10 minutes i believe it's under a dollar. Possibly nano machines aren't
powerful enough to spam the verify endpoint enough

~~~
fredsted
Wouldn't you be hitting EC2 limits pretty quickly though? I guess you could
get them raised, but last time AWS wanted a valid reason.

~~~
shawabawa3
> but last time AWS wanted a valid reason.

Yep - my reason is normally "I'm planning a project that needs more instances"

I doubt they even look at that field to be honest

------
hmate9
This is probably applicable to a lot of other services.

I always find it weird that if I accidentally enter the wrong code, I get to
try again instead of being sent a new one.

~~~
np_tedious
Fat fingers happen, so I could see allowing maybe 3 attempts from a usability
and convenience standpoint.

Beyond that, definitely should regenerate / resend. This is to confirm you own
that phone number. It's not hard to get another

~~~
penagwin
Yeah for sure, a few attempts isn't a problem IMO, even only say 6 digits
there's too many permutations.

> I have used 1000 different machines (to achieve concurrency easily) and IPs
> to send 200k requests (that’s 20 percent of total one million probability)
> in my tests.

I'm just surprised nobody looked at a dashboard and said "huh this account is
getting 200k requests", surely that should be raising red flags?

~~~
kristiandupont
How many requests does IG handle per second? I am not even going to guess a
number but I am sure 1000 specific requests would drown in that. So you would
need a dashboard that specifically visualizes this kind of thing. Do that and
you are now protecting yourself in one type of scenario. But there are endless
other scenarios that you still wouldn't see.

~~~
penagwin
Authentication is certainly a scenario I think you'd want to monitor for brute
force attacks?

Sure IG gets 1000's+ requests a second, but they shouldn't be getting 1000's+
requests per second per user - especially on a login route.

I monitor 400 requests on our website - A massive spike in those would warrant
investigation.

~~~
ilikehurdles
I'm sure IG gets several orders of magnitude more than 1000s of requests per
second. Even if a dashboard existed visualizing excess request traffic per
route per user, when you're talking about this kind of request volume, there
is an indexing lag + a reporting lag + alerting lag (assuming there is
alerting on this specific scenario on top of the dashboard) + human or
automated response lag. It sounds like this attack could be completed in
minutes rather than hours or days, it's feasible that it would have succeeded
well before anyone got around to mitigating it.

------
filleokus
I quite recently learnt about “Residential proxies”, for a scraping idea I
had. Seems like that can be useful for attacks like this.

It’s surprisingly cheap to get access to services which fan out your requests
over millions of normal residential IPs, making them (I assume) hard to block.

Of course their use can be highly objectionable, as well as how they got the
proxies installed in homes of people in the first place (semi-malware?)

E.g [https://oxylabs.io/pricing/residential-proxy-
pool](https://oxylabs.io/pricing/residential-proxy-pool)

~~~
sbarre
This has to be provided by a botnet or some other malware, right?

They claim 30M residential IP addresses.. How would this be done otherwise?

There's no info on the site about "signing up" to be a proxy, just about using
them..

~~~
filleokus
There are several of these providers, and the only one I noticed saying how
they acquired the IP's was Luminati [0]. I didn't look too carefully on all of
them though.

> When these application vendors integrate the Luminati SDK, their users are
> offered the alternative to not watch these video ads in return for opting in
> to the Luminati network.

[https://luminati.io/faq#lum-peers-join](https://luminati.io/faq#lum-peers-
join).

------
deanclatworthy
Pretty interesting that distributed circumvention of rate limiting has to be
considered its own class of vulnerability nowadays. I would think (of course)
many other services are vulnerable. Rate limiting is hard.

------
tuna-piano
Could someone explain how this person is allowed to do that type of testing
(sending 200,000 requests)? How would Facebook know he is a white hat and not
a black hat?

I would be interested in starting to try some of these programs, but a bit
scared I'd be doing something illegal... Where is the line?

~~~
btown
The actual "bug" is that Facebook did not have sufficient controls in place to
even detect this type of brute-force attack, much less make it impossible to
attempt in the first place. Facebook seems (IN THIS INSTANCE) to have
appreciated the white-hat nature of this and awarded the bug bounty, but it
very well might not have. And certainly other organizations don't take nearly
as friendly stances. Generally, I wouldn't bet on most organizations seeing
brute-force attacks as in-scope for bug bounties - this is by no means legal
advice though.

------
Swaglord333
I feel like this was worth more than 30k

~~~
ryanlol
To people selling IG accounts, yes. Not to facebook.

------
paulpauper
The real vulnerability is that Amazon makes it very cheap to make a botnet
almost instantly

~~~
dane-pgp
So what pricing changes would you recommend Amazon adopt to make this sort of
whitehat security research prohibitively expensive?

------
mcnichol
So a bit of a strongly worded title. I'm going to nitpick for a second.

First you need the device-id, second you need the code that will be sent via
text.

The code sent via text is 6 digits meaning 10^6 == 1MM permutations. He shows
how he can enumerate these using 1K IP's ultimately bruteforcing the reset
code.

The Device ID is still not captured although I'm guessing they allow
handwaving via a malicious app or something of that nature.

Credit where credit is due, he cleverly enumerates them concurrently across 1K
IP's and earned his bonus.

Interested how they fixed it...guessing adding a random session guid in the
url and maybe increasing entropy && length of the secret.

~~~
AgentME
He's doing the password reset flow from his own device, and receives a link to
the form containing the session id and his device id. He doesn't need to
bruteforce those.

Instagram had a limit on the number of times that the user could guess the
code, but they had a race condition that let the limit be bypassed. The fix is
for them to fix the race condition.

------
T1glober
This is pretty much dependent on your attack vector being, for the most part,
infinite. Method of delv and spawn rate, etc.

A 0day RAT for android was hitting about 500 devs per second before getting
fixed.

------
fortran77
That's some hole! Imagine if this were used to get access to a celebrity's IG
account. A lot of "damage" to a celebrity brand could have been done.

~~~
rdtwo
Lol log in to a celebrity account, announce support for Donald trump. Enjoy
the ensuing dumpster fire

------
herpderperator
Seems like a lot of improvements could have been made here. After you get the
code wrong, it should reset and send you a different code. If you get more
than 3 wrong in some pre-determined time, it should lock the person out for
some other pre-determined time. You could even use exponential backoff time in
both scenarios. Keeping the code the same after getting it wrong just seems
really stupid.

~~~
hkai
Mathematically, does regenerating the code make a lot of difference?

You can simulate that by running a loop that generates a random 4-digit number
in each iteration and randomly guessing it.

On average, you will guess the number after 10,000 iterations. It doesn't help
that you regenerate the number each time. Your chance is still 1/10,000.

------
rwmj
I wonder if they (FB) have an IPv6 API endpoint. That could make acquiring the
necessary number of distinct IP addresses much easier.

~~~
miyuru
All Facebook services are IPv6 enabled by default and their internal network
is IPv6 only.

[https://code.fb.com/production-engineering/legacy-support-
on...](https://code.fb.com/production-engineering/legacy-support-on-ipv6-only-
infra/)

------
eitland
Now this left me wondering how hard it would be to guess the bugcrowd url at
the bottomof the last picture.

~~~
odensc
I've always wondered - is there some kind of software that can match font
glyphs from a partial image?

------
w8rbt
I'd just use IPv6 and Go from AWS. No need to have 1000's of machines.

------
Hitton
Nice find, but the original author has no idea what race condition means. This
isn't race condition, it's just brute force combined with per ip rate limiting
avoidance.

------
thtthings
Why do they not lock the account after n number of tries say 5?

The user will need to use a different way to authenticate if they can't enter
the correct code in 5 tries

~~~
rileymat2
It gets tricky to implement lockouts, so the next article very well could be
"How I DOSed all of Instagram"

[Obvisouly, there are ways just easy to screw up]

------
ape4
I need to say "endpoint" (rather than URL) to sound current.

------
mychael
Low bounties like that are going to motivate hackers to sell to malicious
actors instead of going through the proper channels.

Facebook should know better.

~~~
bhandziuk
30,000 $ is a low bounty? It seems like a lot of money to me. How much should
they reward?

------
mettamage
I saw this a couple of days ago in the /new section. It seems some good
modding is being done!

I take my hat of for you mister (or miss) mod :)

------
atum47
nice job

------
rolltiide
"WE have decided to reward you $30,000"

should be

"Because the market has decided that hacking top tier instagram accounts is
worth a low seven figures, here is your $1,000,000 payout to save you the
time, effort and liability of monetizing this yourself"

~~~
tptacek
I don't see any evidence that the market has given a 5-figure value, let alone
a 7 figure value, to temporary access to an Instagram account.

~~~
FDSGSG
Instagram names regularly sell for 5-figure prices on swapd/ogusers. You
wouldn't want to go after active accounts.

~~~
tptacek
And? How much are you going to pay for a script that lets you steal inactive
Instagram accounts that you will then go on to sell on a grey market? You're
not going to do it yourself, because when (not if) it's discovered how this
happened, there will be an investigation, and you'll get caught, lose all the
money you "earned" in legal fees, and (bypassing a login screen is _textbook_
, right-in-the-strike-zone CFAA) spend months in prison. So you have to sell
it to someone. How much are they paying? How many buyers are there for it? How
long do they get to assume the script will keep working? The more people you
sell it to, the less time each of them have to run it. And: when _they_ get
caught, if you've sold to several people, there's a significant chance you're
going to get caught.

~~~
rolltiide
the hijacking happens on the grey market because there is no reliable escrow
agent and its already against the terms of service of IG

you don't need this script to find the accounts, you would use it when you
promised to buy or sell an account and hack the phone number based 2-factor

to either assume control of the account without paying, or steal it back

but if you did want to scale this up to stealing normal user's accounts,
stealing instagram accounts is merely a factor of changing the email address
twice and then the account name. after which the original owner knows their
account got stolen but has no record of the account lol, because they don't
know the account ID, just the old username and email address which is super
gone and doesn't match any record. you won't get caught primarily because
there are too many barriers of entry for someone to take it seriously enough
to investigate.

~~~
mlrtime
This is true , the only way I've seen accounts recovered:

1) Higher a lawyer and threaten a lawsuit. 2) If you have the ID you can hire
a hacker to get it back.

~~~
rolltiide
Thanks for chiming in, the people on hackernews often want an easily google-
able peer reviewed study on some stuff thats private for a reason

Its lazy to derail a discussion with “I didnt see it so SOURCE! Ha Im so right
about everything your whole argument is invalid”

instead of

“oh thats a problem what can we do about that” especially when unsubstantiated
nonsense isn't really a big problem here, while completely misunderstanding
problems and solutions is what this forum gets laughed at about

------
paulpauper
$30,000 for that?

>In a real attack scenario, the attacker needs 5000 IPs to hack an account. It
sounds big but that’s actually easy if you use a cloud service provider like
Amazon or Google. It would cost around 150 dollars to perform the complete
attack of one million codes.

no, it does not have nearly that many. I think they only have 100 or so. IPs
are expensive. It would probably cost thousands of dollars to pull this off.

~~~
shitloadofbooks
Rather than guessing, you can check yourself:
[https://docs.aws.amazon.com/general/latest/gr/aws-ip-
ranges....](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html)

AWS has _millions and millions_ of IPv4 addresses and an unfathomably large
amount of IPv6 addresses.

