
How I hacked Instagram to see private photos - lelf
http://insertco.in/2014/02/10/how-i-hacked-instagram/
======
tantalor
@phr0nak: Great article, but you should spend more time editing, or get a
friend who is fluent in English to help you (I assume you are not).

Phrases like "Due I guessed the website could be already audited and secure"
are difficult to understand.

I think you meant, "[Since/because] I guessed the website [would already
be]..."

~~~
phr0nak
Thanks for your comments :)

~~~
iunk
Maybe you should write in your native language, and let everyone else to learn
the language. I don't like when people criticize your writing skills when it's
not your native language.

~~~
mentat
Or maybe he wants the largest possible audience and the comment is aimed at
getting him that.

------
badman_ting
Does checking the UA string offer much security? I've always been under the
impression that it's essentially user input and not to be trusted. But yeah,
that is a pretty nasty CSRF. Good post, thanks.

~~~
phr0nak
As you said, checking the User-Agent does not offer much security, but at this
point, is more than nothing. I know that Instagram team are studying other
ways (csrftoken among others) to protect their website or application against
this kind of attacks. Thanks.

------
juliann
I was wondering how generous was the reward Facebook gives for helping them
find this kind of security issues, can you share that? (If you consider that
you don't want to share this kind of information is completely fine for me, im
just curious). Thanks and congrats, good research!

~~~
chc
[https://www.facebook.com/whitehat](https://www.facebook.com/whitehat) for the
general details.

------
xerophtye
Well there seems to be a certain exploit going around on FB. it a picure that
claims "hack anyone's account by opening their profile and copy pasting this
code into the webconsole" where said code uses you logged in credentials to
make FB API calls. The version i saw made you like a bunch of pages, follow a
bunch of people and tag all of your friends in the comments to that picture.
But I wonder if same can be used to change the privacy settings

------
marclipovsky
I'm impressed that you got a reward considering Instagram is on their
exclusions list for bug bounties. Well done!

~~~
phr0nak
I think you're wrong. Read carefully the "Exclusion"'s section on
[https://www.facebook.com/whitehat](https://www.facebook.com/whitehat)

------
8ig8
116 days (almost 4 months) from first report to bounty payment. Longer than I
expected. Is this typical?

------
aabalkan
Wow, not even a Referer header check was in place.

~~~
kclay
You would be surprised,what some people leave behind. I'm doing some work on
an app that has in-app payments, but the payments are not verified on the
server to unlock o_0. This is just a big no no. I just wonder how many other
companies have this same simple error.

------
btbuildem
Amazing font shadows, so unreadable..

~~~
trippy_biscuits
I can't read that page without getting ill. Even highlighting doesn't help.

~~~
phr0nak
Sorry to hear that. I'll fix this issue as soon as possible.

------
1337biz
Now, where is Hunter Moore when he is needed the most?

Oh right, grounded in his parents' basement.

~~~
Gracana
Nobody -- past, present, or future -- needs Hunter Moore.

