Showing posts from May, 2016

Instagram - Account Compromise through Password brute forcing

Instagram application is not validating the number of requests made to login into user account, which made it possible to brute force the password of any Instagram user Account.
Issue reported to Facebook through their whitehat program, but unfortunately I am not the first one to do so. So the report was made duplicate and the issue is found to be fixed in few hours.
While brute-forcing, the application throughs an error in the response body, but sets an authenticated session cookie. So, once we refresh, the browser uses the newly set cookie and establishes logged in browsing session. The following is a video demonstrating the same (post brute force action, not the actual brute force).