MyHackerNews

Instagram: User Accounts And Phone Numbers Exposed

Sync Contacts Attack @ZHACKER13

What happened:

Facebook have confirmed that the user data may have been at risk due to a security vulnerability on Instagram.  A security research by the handle @ZHacker13  discovered the vulnerability. The exploit would allow to bypass the Instagram security and specifically the platform’s importer in combination with brute force attack on the login form to extract phone number, account number that is linked to username and real name.

By now Instagram security team have patched the issue and the security researched was rewarded.

How it worked:

Step 1 – Attacker uses an algorithm to brute force Instagram’s login form by checking one phone number at a time  for those linked to a live  IG account and that will return Yes or No answer.

Instagram
Phone Numbers Enumeration @ZHACKER13

Step 2 – Taking advantage of Instagram’s Sync contact feature an attacker would match the account name, IG  number to the phone number. After the bot setups a new account, IG will ask to sync the newly created account phone contact list. In a normal situation this will send back mass accounts and names, but without the ability to link the account details to the phone numbers.  However, if the contact list has only 1 number, the result will show the linked details.

Sync Contacts Attack @ZHACKER13

 

 

 

 

 

 

 

 

The news first appeared on Forbes, by Zak Doffman 

 

 

 

Get real time updates directly on you device, subscribe now.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More