Google Translater
IP Address
You are from
%%v_FLG%% %%v_IP%%
%%v_CR%% ,%%v_RG%%, %%v_CI%%
%%v_OS_IMG%% %%v_OS%%
%%v_BRW_IMG%% %%v_BRW%%
%%v_I_RESO%% %%v_RESO%% %%v_I_CLR%% %%v_CLR%%
%%v_FLG%% %%v_IP%%
%%v_CR%% ,%%v_RG%%, %%v_CI%%
%%v_OS_IMG%% %%v_OS%%
%%v_BRW_IMG%% %%v_BRW%%
%%v_I_RESO%% %%v_RESO%% %%v_I_CLR%% %%v_CLR%%
Who is online?
In total there is 1 user online :: 0 Registered, 0 Hidden and 1 Guest None
Most users ever online was 17 on Mon Nov 13, 2023 12:55 am
Visitors
Hack Instagram Account
Page 1 of 1
Hack Instagram Account
Nir Goldshlager Founder of [You must be registered and logged in to see this link.] find the critical vulnerability in Instagram. Succesful hack allows attacker to access private photos and ability to delete victim's photos, edit comment and post new photos.
1. Hijack Instagram accounts using the Instagram OAuth (https://instagram.com/oauth/authorize/)
2. Hijack Instagram accounts using the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)
He reported a few issues to Instagram Include OAuth Attacks, But the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues in Instagram, So I was waiting, Waiting like a good WhiteCollar, Then Facebook Security send me a message, They say even that they was unable to fix this issues because the acquisition didn’t closed yet, They will still payout for this vulnerabilities,
So, first, checked Instagram’s OAuth protocol: (http://instagram.com/developer/authentication/)
While researching Instagram’s security parameters, Nir noticed that Facebook Security had produced some impressive results in regard to their own Instagram OAuth vulnerabilities. They essentially blocked access to any and all files, folders, and subdomains by validate the redirect_uri parameter.
In addition, redirection was only allowed to go to the owner app domain.
Thus, hacker needed to locate some other way to get past their protection. Further complicating the issue was the fact that you can’t use a site redirection / XSS on the victim’s owner app. This is because you have no access to the files or folders on the owner app domain through the redirect_uri parameter.
Block Files Folders
For example:
Allow request:
[You must be registered and logged in to see this link.]
Block requests:
Redirect_uri=https://www.breaksec.com
Redirect_uri=https://a.apigee.com/
Redirect_uri=https://apigee.com/x/x.php
Redirect_uri=https://apigee.com/%23,? or any special sign
As it stands, it appears that the redirect_uri is invulnerable to OAuth attacks.
While researching, I came upon a sneaky bypass. If the attacker uses a suffix trick on the owner app domain, they can bypass the Instagram OAuth and then send the access_token code to their own domain.
For instance:
Let’s say Nir app client_id in Instagram is 33221863xxx and my domain is breaksec.com
In this case, the redirect_uri parameter should allow redirection only to my domain (breaksec.com), right? What happens when we change the suffix in the domain to something like:
Breaksec.com.mx
In this example, the attacker can send the access_token, code straight to breaksec.com.mx. For the attack to be successful, of course, the attacker will have to buy the new domain (in this case, breaksec.com.mx).
PoC Bypass (Fixed By Facebook Security Team):
[You must be registered and logged in to see this link.]
Game Over.
Bug 2.
With this bug, Nir used the Instagram client_id value through the Facebook OAuth (https://www.facebook.com/dialog/oauth).
When you use the Instagram app, it can be integrated with Facebook.
For example:
When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place.
[You must be registered and logged in to see this image.]
Instagram Would like to access your public profile and friend list
Nir discovered that an attacker can use virtually any domain in the redirect_uri, next parameter. This was actually sort of baffling, and I don’t know why this happened, but it worked. You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.
This effectively allows the attacker to steal the access_token of any Instagram user,
With the access_token the attacker will be able to post on the victim behalf in his Facebook account, Access to his private friends list.
PoC (Facebook Already fixed this issue):
[You must be registered and logged in to see this link.]
VIDEO:
[You must be registered and logged in to see this link.]
1. Hijack Instagram accounts using the Instagram OAuth (https://instagram.com/oauth/authorize/)
2. Hijack Instagram accounts using the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)
He reported a few issues to Instagram Include OAuth Attacks, But the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues in Instagram, So I was waiting, Waiting like a good WhiteCollar, Then Facebook Security send me a message, They say even that they was unable to fix this issues because the acquisition didn’t closed yet, They will still payout for this vulnerabilities,
So, first, checked Instagram’s OAuth protocol: (http://instagram.com/developer/authentication/)
While researching Instagram’s security parameters, Nir noticed that Facebook Security had produced some impressive results in regard to their own Instagram OAuth vulnerabilities. They essentially blocked access to any and all files, folders, and subdomains by validate the redirect_uri parameter.
[You must be registered and logged in to see this image.]
In addition, redirection was only allowed to go to the owner app domain.
Thus, hacker needed to locate some other way to get past their protection. Further complicating the issue was the fact that you can’t use a site redirection / XSS on the victim’s owner app. This is because you have no access to the files or folders on the owner app domain through the redirect_uri parameter.
Block Files Folders
For example:
Allow request:
[You must be registered and logged in to see this link.]
Block requests:
Redirect_uri=https://www.breaksec.com
Redirect_uri=https://a.apigee.com/
Redirect_uri=https://apigee.com/x/x.php
Redirect_uri=https://apigee.com/%23,? or any special sign
As it stands, it appears that the redirect_uri is invulnerable to OAuth attacks.
While researching, I came upon a sneaky bypass. If the attacker uses a suffix trick on the owner app domain, they can bypass the Instagram OAuth and then send the access_token code to their own domain.
For instance:
Let’s say Nir app client_id in Instagram is 33221863xxx and my domain is breaksec.com
In this case, the redirect_uri parameter should allow redirection only to my domain (breaksec.com), right? What happens when we change the suffix in the domain to something like:
Breaksec.com.mx
In this example, the attacker can send the access_token, code straight to breaksec.com.mx. For the attack to be successful, of course, the attacker will have to buy the new domain (in this case, breaksec.com.mx).
PoC Bypass (Fixed By Facebook Security Team):
[You must be registered and logged in to see this link.]
Game Over.
Bug 2.
With this bug, Nir used the Instagram client_id value through the Facebook OAuth (https://www.facebook.com/dialog/oauth).
When you use the Instagram app, it can be integrated with Facebook.
For example:
When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place.
[You must be registered and logged in to see this image.]
Instagram Would like to access your public profile and friend list
Nir discovered that an attacker can use virtually any domain in the redirect_uri, next parameter. This was actually sort of baffling, and I don’t know why this happened, but it worked. You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.
This effectively allows the attacker to steal the access_token of any Instagram user,
With the access_token the attacker will be able to post on the victim behalf in his Facebook account, Access to his private friends list.
PoC (Facebook Already fixed this issue):
[You must be registered and logged in to see this link.]
VIDEO:
[You must be registered and logged in to see this link.]
Similar topics
» How To Get Thousand Of INSTAGRAM Likes And Hundred Of Followers
» Hack a Yahoo Account While Chatting
» Hack Facebook Account Online
» How To Hack A Twitter Account Password Using Phishing Page
» Latest Facebook Account Hacking Software 2014
» Hack a Yahoo Account While Chatting
» Hack Facebook Account Online
» How To Hack A Twitter Account Password Using Phishing Page
» Latest Facebook Account Hacking Software 2014
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
Thu Jan 23, 2014 5:02 pm by Administrator
» Super Boost Gmail Password Cracker Level - MC4.82.0 2014
Thu Jan 23, 2014 4:59 pm by Administrator
» Latest Facebook Credit Generator 2014
Thu Jan 23, 2014 4:55 pm by Administrator
» FaceBook Friend Bomber New Version 2014.
Thu Jan 23, 2014 4:52 pm by Administrator
» Advance Twitter Account Hacking Software 2014
Thu Jan 23, 2014 4:25 pm by Administrator
» Latest Facebook Account Hacking Software 2014
Thu Jan 23, 2014 4:22 pm by Administrator
» Wifi Password Hacker 2014
Thu Jan 23, 2014 4:18 pm by Administrator
» SIMOID UNLOCKER 3.9 (ANDROID SIMLOCK UNLOCKER)
Mon Sep 16, 2013 6:29 pm by Administrator
» Get Notification mail When Someone Tries To Log In Your Facebook Profile
Mon Sep 16, 2013 6:23 pm by Administrator