Instagram: User Accounts And Phone Numbers Exposed

What happened:

Facebook have confirmed that the user data may have been at risk due to a security vulnerability on Instagram.  A security research by the handle @ZHacker13  discovered the vulnerability. The exploit would allow to bypass the Instagram security and specifically the platform’s importer in combination with brute force attack on the login form to extract phone number, account number that is linked to username and real name.

By now Instagram security team have patched the issue and the security researched was rewarded.

How it worked:

Step 1 – Attacker uses an algorithm to brute force Instagram’s login form by checking one phone number at a time  for those linked to a live  IG account and that will return Yes or No answer.

Phone Numbers Enumeration @ZHACKER13

Step 2 – Taking advantage of Instagram’s Sync contact feature an attacker would match the account name, IG  number to the phone number. After the bot setups a new account, IG will ask to sync the newly created account phone contact list. In a normal situation this will send back mass accounts and names, but without the ability to link the account details to the phone numbers.  However, if the contact list has only 1 number, the result will show the linked details.

Sync Contacts Attack @ZHACKER13

The news first appeared on Forbes, by Zak Doffman