Just the title is enough to get you excited, right? OK, grab your coup of coffee and bare with me on this one.

The Intro

A couple of days ago while testing a website for bugs, I had Instagram open in one of my tabs. At some point, that tab sent some data to its servers, and my proxy intercepted it, bringing to my attention a better target with higher bounty opportunities.

There is a POC video about this but Don't knows how to post it here.

After hours of trying to find some weakness, I gave up. Just there, I received an Email from HackerOne asking me for more information about a previous report involving a flaw in a logic reset password link from days before. In all honesty, I didn’t want to try to test Instagram for this same flaw, because we all know that their security is over the top, or at least that is what I thought.

My Treasure

Instagram has a weird flaw with its password reset links. These are the steps to reproduce it.

1. Ask for two password reset links, open them both in your browser.
2. While having both taps open, in one of the tabs, change your password.
3. After changing the password go to your settings and log out.
4. Now, hop on to the second tab, and change the password again, just as you did before.

Here is the problem, Instagram is failing to kill the second unused link. This flaw leaves attackers to take over your account because is letting them change your password a second time using a link that should not be working.

The Real Threat

The bigger problem with this flaw is not only that it lets you reset the password again using a link that was not supposed to work. Here is a more dangerous list of things I learn about it while testing it.

1. When you change the password the first time, you will get an Email telling you about it. But when you do it the second time, you will get none.
2. Proceeding to open your phone native Instagram app will log you out, just as it should. But when you try to log back in using the lasted password made, it won’t let you. It only accepts the first password ever made using the two links.
3. Unlike most reset links. Which are long strings of code, changing every time you get a new link. This one only varies at a single 5/6 letter word used as a token for your account.

The Result And A Very Likely Attack Scenario

The Victim;
You ask a known person for their phone to make a phone call or search for something because you can’t use your phone at the moment. You go to this person’s Instagram, take a look at his Email, make a story saying you had been hacked, and log him out.

After logging him out of his account, ask twice for a Password Reset Link. Open his mail app and remember the 5/6 letter token of the link. As a time-saver, you will already have your phone browser tab open at your own password reset link. Now change your Token for his.

Once that person gets back his phone and tries to enter his profile, something that is not guaranteed to happen right away, he will notice two things, his account being log out and a new email for a password reset. This person’s first reaction will be to panic and try to get back his profile using that E-mail. Once in his profile, he will go on and check on it and see the Instagram Story saying you had been hack and take it down.

Attacker;
Using your own Instagram account in the native app, you will be checking on the victim account for a hint on when to attack. The hint? The Instagram story we made earlier or even the account going private for fear of any more “attacks”. Once you get that hint, go ahead and change the password from your open tab. He will not get an Email telling him about it, plus his password will still work in case he gets to log out after you change it.

Seen this is something serious, I reached out to Facebook to inform them about my findings, Thinking that I just found something of interest. Many things were not working as they should and because this is something very likely to happen even to people who leaves their phone unseen at places like meetings or gyms, I myself had seen this many times.

Their Response

They replied to me very quickly, but to be honest. I was not expecting the kind of response I received. In the initial reply, they didn’t even understand what I was showing to them using a POC video, which is why I went back and forward with them, trying to explain to them using words what was very clear in a video and two photos *facepalm*

Finally, when they couldn’t deny the flaw, this was their response.

I was astonished to read this because we all use WhatsApp, and all know they don't let people use their WhatApp on two different phones. Why? Because anyone can just “hack” your account and use it in more than one place if they get to your phone. Sure using his same logic some phones will be locked but at least for androids users, this will not stop an attacker from brute-forcing your phone, I even sent them a video about it.

They are not trying to use the same WhatsApp logic here. In their eyes, this is a “theoretical attack”, because they don't believe attackers can't get to victims' phones or even Emails. To prevent these attacks they only let users use one account.