Facebook BugBounty: Tale of an Instagram bug disclosing user’s phone number via checkpoint

Hello, folks! , Here is my another post about a bug which disclosing Instagram user’s phone number . This bug mostly effects on 2FA enable accounts . So , let’s jump into the technical detail .

There have 2 things you have to know about Instagram

* When user enable 2FA for his/her account , they have to enter code after login to their account for further access .

* When you login in to your account via VPN ,there have a check-point where you have to enter 6 digit code which send to your attached number/email .

checkpoint after login over VPN

Now combine those 2 things , I was able to disclose 2FA enabled user’s phone number .

So here is the situation where this type of attack work : Attacker have already victim’s username/password , but not able to log in cause of 2FA . Now Attacker want more detail about victim like phone number etc .

Attacking Technique :

1. Attacker log into victim’s account over VPN . which gives a checkpoint.

2. After that Attacker click on “Send security code” option and read the response of the POST request , the phone_number parameter holds the number of victim without any obfuscation .

PoC of disclosing Insta user’s phone number

Now attacker can read user’s phone number clearly without bypass the 2FA .

Timeline:

  • July 1, 2019 – Report sent.
  • July 2, 2019 – Confirmation of submission by Facebook
  • July 8, 2019 – Further investigation by Facebook
  • July 18, 2019 – Fixed & rewarded $XXX by Facebook .

Leave a Comment