So this started when I was really interested in bypassing the 2FA security of Instagram using the Instagram-connected email account as I always felt, that integration was a bit less secured and there may be ways to bypass it. Nov-2020, I found a way to bypass the 2FA in Instagram using the ‘secure your account here’ option that comes with the ‘Email Changed’ notification email from Instagram.

But due to its high complexities for an attack, the Facebook Sec Team closed it as Informative and didn’t fix it apparently. But like I mentioned in that report;

“vulnerability is a vulnerability & that may potentially affect somehow someday or open doors to even more scenarios if unfixed”

I still felt that there may be ways to bypass the 2FA using the email but I wasn’t really testing there then, until when DMs started flooding in my Instagram message request from different people requesting me to Bypass 2FA for their Instagram accounts. Some needed genuine help as they lost their ways to verify 2FA to get back into their Instagram personal/business accounts. But, of course in many cases; I could do nothing from my side but just show them ways to contact Instagram Help for recovering 2FA. But, this dissatisfaction also fueled me to really search for neat ways to bypass 2FA.

Late January this year, with reference to that previous report, I started looking for different endpoints that connect the access of the Instagram account of a user with the email itself. Using several automated emails that came over different periods of time from Instagram regarding password change, email change, password reset, 2FA enabled, 2FA disabled, etc; I started comparing them and the endpoints they carried, then I noticed a unique button in current days reset emails.

Actually yes, a lot easier due to this ; )

So, these days; when a user requests a login link using the ‘Forgot Password’ option, there comes two buttons, one; the direct login button & another password resetting button. But, if you’ve noticed previously in previous years; it won’t use to be like that. You would’ve gotten only one button as ‘Log in as …’ and also a link below it with a reset token link as ‘You can also reset your Instagram password’ like this:

Hence, since there was a new button for the same resetting functionality; it made me curious to test this button on the mobile because usually when a clickable button is included, a new interface is designed inside the app where the button redirects to when clicked. Exactly as my expectation, after clicking the above ‘Reset your password’ button, I was redirected to the Instagram app to a relatively apparent newer interface I guess, for resetting the password for the Instagram account.

So without hesitation, I initiated the 2FA bypass test using the following repro:

Assuming my phone to be the Attacker’s device and my PC to be the victim’s device,

1. I made a test Instagram account and enabled 2FA security for the account using the Instagram web.

2. Then, considering the Attacker compromising the victim’s email account, the attacker logs into the victim’s email account in the respective email app.

3. After that, the Attacker simply goes to Instagram>>Forget Password and inputs the Victim’s Instagram Account Username and asks for a login link in his/her email.

4. Finally, the Attacker gets the “we’ve made it easy to get back on Instagram” email from Instagram in the victim’s email account, clicks the vulnerable ‘Reset your password’ button; gets redirected to the Instagram app to that password resetting interface, resets the password and

GUESS WHAT?

Congratulations!🥳 you’ve got into an Instagram account without any 2FA validation / 2FA check.

To make it tastier, the attacker can now disable the 2FA from the victim’s account heading towards the Settings>>Security>>Two-factor authentication, completely taking over the “SECURED” Instagram account of the victim.

If you are curious like “What about the web ?” What did happen when that ‘Reset your password’ button was clicked on the Instagram web/PC ?. Well, in the web; it wasn’t vulnerable, The button would’ve and still redirects the user to the same old Instagram Reset page where you can reset the password but it will compulsorily ask for an OTP due to the proper 2FA check to get into the Instagram account successfully.