How I could Delete Instagram Captions and Comments that are not mine,.....

Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB.
Instagram Web and mobile Applications
For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature.
request without a signature
Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected.

So while testing with both the App and Browser together, I realised that there is an authorisation flaw in the comment deletion action. But it requires certain comment ID values, which are (supposed to be) not available for comments other than your's.. So basically, you can not delete other's comments as you wont be having other's comment IDs (such a nice logic).

request used for deleting comments

So i went back through the 10mb of all my burp logs to find, if the comment ids are leaked somewhere. And bingo, there is an api which shows comment ids of all the comments of a picture.
request that fetches comment ids

So now we have all the elements needed to do some DAMAGE....

url :     https://www.instagram.com/web/comments/<phto id>/delete/<comment/description id>/

photo id & owner id: to extract the ids of the target photos/comments, make a GET call to
https://www.instagram.com/<target username>/

comment/description id : to extract the comment id of the target comment, make a GET call to
https://i.instagram.com/api/v1/media/<photo id>_<owner id>/comments/

Now is the time to Delete some comments.... simply make a POST call with web app cookies to
https://www.instagram.com/web/comments/<photo id>/delete/<comment id>/

 (but don't forget to add the csrf token into headers) and Done.. we have successfully deleted the target comment.

A better and easy (different way of enumeration of necessary information) to exploit the same bug is given in the below video demonstration.


After playing around the api for some more time, i realised that there is no rate limiting applied on the Delete api. 

So i made a small python script which will make a call to target instagram user account to fetch all the photo ids. Then it will make another request to fetch all the comment ids on each photo id. Then finally it will make requests to delete each comment on each photo, there by deleting all comments and captions ever added on any photo of the target user.
deleting all comments on all photos of target user

Thanks for reading/watching... And as usual, suggestions and queries are always welcome.


Comments

  1. Unknown30 November 2016 at 10:22

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Anonymous20 February 2017 at 04:51

    Mohan, thank you for your job. Can you explain how to add comment to instagram photo? I try to add https://www.instagram.com/web/comments/1454229841149810844/add/comment_text:Nice using Java but this solution doesn't work. The second question is how you connect genymotion with Burp? I tried to do this, but in genymotion free version we can't change IP adress to connect with Burp?

    ReplyDelete
  3. Haris3 March 2017 at 14:51

    This comment has been removed by the author.

    ReplyDelete
  4. Haris3 March 2017 at 15:24

    I admit, I have not been on web page in a long time.however it was another joy to see It is such an important topic and ignored by so many, even professionals. professionals. I thank you to help making people more aware of possible issues. Website

    ReplyDelete
    Replies
    1. Melissa17 February 2019 at 18:03

      Hello everyone, I just got my Business instagram account verified, I am so happy I met Mr James. I saw a recommendation about him and I contacted him. He helped me in getting my account verified, he was trustworthy and reliable. If you need help in hacking or getting your instagram account verified, I suggest you contact him (worldcyberhackers) through Gmail or WhatsApp: +12678773020

      Delete
  5. Alex moner15 June 2017 at 03:05

    The comment ids are leaked somewhere. And bingo, there is an api which shows comment ids of all the comments of a picture.http://www.classic-trash.com/view-private-instagram-photos-instagram-private-profile-viewer/

    ReplyDelete
  6. seravina danniella7 November 2017 at 23:20

    Thank you for sharing, I found this article is very helpful and easy to understand. Keep up the good work, guys!


    SEO Services

    ReplyDelete
  7. Mueeid Soomro14 November 2017 at 06:14

    There is no waiting around until you get back to your home or office to take full advantage of Instagram for brand building.buy instagram followers

    ReplyDelete
  8. sami sheikh29 November 2017 at 03:43

    Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.
    private instagram

    ReplyDelete
  9. Mark Roberts3 December 2017 at 05:41

    But services are not impossible to promote on the app, finding exciting ways to bring to life your service will catch the eye of the Instagram user.Likes kaufen

    ReplyDelete
  10. Hannan Aslam12 December 2017 at 11:57

    Somebody Sometimes with visits your online journal routinely and prescribed it as far as I can tell to peruse also. The method for composing is brilliant furthermore the substance is first rate. A debt of gratitude is in order for that knowledge you give the perusers! buy instagram followers

    ReplyDelete
  11. Unknown30 January 2018 at 13:18

    I’m inspired with the surpassing and preachy listing that you furnish in such little timing. INSTAGRAM FOLLOWERS HACK

    ReplyDelete
  12. JerrySEO22 April 2018 at 07:55

    very helpful article, very informative words i found from this article. thanks

    Best site to buy Facebook likes Cheap

    ReplyDelete
  13. Topsellar16 June 2018 at 11:05

    Worth a read, Totally be-charmed by this blog.
    profollower

    ReplyDelete
  14. techchannel19 June 2018 at 13:20

    http://captiontool.com

    ReplyDelete
  15. Serety24 September 2018 at 13:27

    It is amazing that you share your knowledge with us.

    <a href='http://www.escort-helena.com/meet-matilda-girl.html">Matilda</a>

    ReplyDelete
  16. Anika16 November 2018 at 06:15

    Super blog.
    Cheapest Escorts In London

    ReplyDelete
  17. SMMWorld1 February 2019 at 02:52

    Instagram marketing is the best way to promote ones brand and to make a strong online presence. SMViews offer high-quality social media services as an buy Instagram follower, Instagram Likes, buy instagram saves worldwide,Twitter followers, Facebook likes, YouTube views ...etc.

    ReplyDelete
  18. Melissa17 February 2019 at 18:03

    Hello everyone, I just got my Business instagram account verified, I am so happy I met Mr James. I saw a recommendation about him and I contacted him. He helped me in getting my account verified, he was trustworthy and reliable. If you need help in hacking or getting your instagram account verified, I suggest you contact him (worldcyberhackers) through Gmail or WhatsApp: +12678773020

    ReplyDelete
  19. burri606 July 2019 at 09:17

    How delightfully every one of the sentiments have been passed on through composing.
    bought instagram followers

    ReplyDelete

Post a Comment

Popular posts from this blog

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Image
Hi friends, I am back with Three stories Today. There are multiple critical bugs effecting the e-front, one of the Top 10 e-learing cms available, version 3.6.15.4 build 18023. The details are as follows. Directory Traversal       ( CVE : 2015-4461 ) Local File Inclusion      ( CVE : 2015-4462 ) Bypass for Blocked extension file uploads      ( CVE : 2015-4463 ) About the e-front:   E-front is one of the Top 10 e-learning cms available free on the market till date. A small description from the vendor's site: "The core of eFront is distributed as an open-source project. We have created a superior training product and we are not afraid to let you try it! The open-source edit of eFront will cover a wide range of your needs. If you are looking for a specialized solution then take a look at different efront editions ." The Issues are fixed as part of new release, efront v3.6.15.5 build 18024. You can find the chan...
Read more

Cross Site Scripting through callback functionality

Image
Hello Guys, Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story. The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application. This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value. https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script>...
Read more