Saturday, 16 April 2016

How I could Delete Instagram Captions and Comments that are not mine,.....

Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB.


Instagram Web and mobile Applications
For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature.


request without a signature
Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected.

So while testing with both the App and Browser together, I realised that there is an authorisation flaw in the comment deletion action. But it requires certain comment ID values, which are (supposed to be) not available for comments other than your's.. So basically, you can not delete other's comments as you wont be having other's comment IDs (such a nice logic).

request used for deleting comments

So i went back through the 10mb of all my burp logs to find, if the comment ids are leaked somewhere. And bingo, there is an api which shows comment ids of all the comments of a picture.


request that fetches comment ids

So now we have all the elements needed to do some DAMAGE....

url :     https://www.instagram.com/web/comments/<phto id>/delete/<comment/description id>/

photo id & owner id: to extract the ids of the target photos/comments, make a GET call to


https://www.instagram.com/<target username>/

comment/description id : to extract the comment id of the target comment, make a GET call to


https://i.instagram.com/api/v1/media/<photo id>_<owner id>/comments/

Now is the time to Delete some comments.... simply make a POST call with web app cookies to


https://www.instagram.com/web/comments/<photo id>/delete/<comment id>/

(but don't forget to add the csrf token into headers) and Done.. we have successfully deleted the target comment.

A better and easy (different way of enumeration of necessary information) to exploit the same bug is given in the below video demonstration.


After playing around the api for some more time, i realised that there is no rate limiting applied on the Delete api. 

So i made a small python script which will make a call to target instagram user account to fetch all the photo ids. Then it will make another request to fetch all the comment ids on each photo id. Then finally it will make requests to delete each comment on each photo, there by deleting all comments and captions ever added on any photo of the target user.


deleting all comments on all photos of target user

Thanks for reading/watching... And as usual, suggestions and queries are always welcome.


11 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Mohan, thank you for your job. Can you explain how to add comment to instagram photo? I try to add https://www.instagram.com/web/comments/1454229841149810844/add/comment_text:Nice using Java but this solution doesn't work. The second question is how you connect genymotion with Burp? I tried to do this, but in genymotion free version we can't change IP adress to connect with Burp?

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. I admit, I have not been on web page in a long time.however it was another joy to see It is such an important topic and ignored by so many, even professionals. professionals. I thank you to help making people more aware of possible issues. Website

    ReplyDelete
  5. The comment ids are leaked somewhere. And bingo, there is an api which shows comment ids of all the comments of a picture.http://www.classic-trash.com/view-private-instagram-photos-instagram-private-profile-viewer/

    ReplyDelete
  6. Thank you for sharing, I found this article is very helpful and easy to understand. Keep up the good work, guys!


    SEO Services

    ReplyDelete
  7. There is no waiting around until you get back to your home or office to take full advantage of Instagram for brand building.buy instagram followers

    ReplyDelete
  8. Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.
    private instagram

    ReplyDelete
  9. Thanks for the nice blog. It was very useful for me. I'm happy I found this blog. Thank you for sharing with us,I too always learn something new from your post.
    private instagram

    ReplyDelete
  10. But services are not impossible to promote on the app, finding exciting ways to bring to life your service will catch the eye of the Instagram user.Likes kaufen

    ReplyDelete
  11. Somebody Sometimes with visits your online journal routinely and prescribed it as far as I can tell to peruse also. The method for composing is brilliant furthermore the substance is first rate. A debt of gratitude is in order for that knowledge you give the perusers! buy instagram followers

    ReplyDelete