Instagram - Account Compromise through Password brute forcing

Instagram application is not validating the number of requests made to login into user account, which made it possible to brute force the password of any Instagram user Account.

Issue reported to Facebook through their whitehat program, but unfortunately I am not the first one to do so. So the report was made duplicate and the issue is found to be fixed in few hours.

While brute-forcing, the application throughs an error in the response body, but sets an authenticated session cookie. So, once we refresh, the browser uses the newly set cookie and establishes logged in browsing session. The following is a video demonstrating the same (post brute force action, not the actual brute force).


  1. Hello everyone, I just got my Business instagram account verified, I am so happy I met Mr James. I saw a recommendation about him and I contacted him. He helped me in getting my account verified, he was trustworthy and reliable. If you need help in hacking or getting your instagram account verified, I suggest you contact him (worldcyberhackers) through Gmail or WhatsApp: +12678773020


Post a Comment

Popular posts from this blog

Cross Site Scripting and URL redirection ...

Cross Site Scripting through callback functionality

Multiple Vulnerabilities in eFront CMS v3.6.15.4