Hello, folks! , Here is my another post about a bug which disclosing Instagram user’s phone number . This bug mostly effects on 2FA enable accounts . So , let’s jump into the technical detail .
There have 2 things you have to know about Instagram
* When user enable 2FA for his/her account , they have to enter code after login to their account for further access .
* When you login in to your account via VPN ,there have a check-point where you have to enter 6 digit code which send to your attached number/email .
Now combine those 2 things , I was able to disclose 2FA enabled user’s phone number .
So here is the situation where this type of attack work : Attacker have already victim’s username/password , but not able to log in cause of 2FA . Now Attacker want more detail about victim like phone number etc .
Attacking Technique :
1. Attacker log into victim’s account over VPN . which gives a checkpoint.
2. After that Attacker click on “Send security code” option and read the response of the POST request , the phone_number parameter holds the number of victim without any obfuscation .
Now attacker can read user’s phone number clearly without bypass the 2FA .
- July 1, 2019 – Report sent.
- July 2, 2019 – Confirmation of submission by Facebook
- July 8, 2019 – Further investigation by Facebook
- July 18, 2019 – Fixed & rewarded $XXX by Facebook .