Académique Documents
Professionnel Documents
Culture Documents
10 INTERESTING VULNERABILITIES IN
INSTAGRAM
ARNE SWINNEN
@ARNESWINNEN
HTTPS://WWW.ARNESWINNEN . NET
WHOAMI
Arne Swinnen from Belgium, 26 years old
IT Security Consultant since 2012
Companies I have directly worked for:
Currently Past
2
AGENDA
Introduction
Setup
Man-in-the-Middle
Signature Key Phishing
APK Decompilation
Vulnerabilities
Infrastructure: 2
Web: 2
Hybrid: 4
Mobile: 2
Conclusion
Q&A
3
INTRO
4
INTRODUCTION
Motivation
Timing
5
INTRODUCTION
6
INTRODUCTION
Private account Public account
7
SETUP
8
MAN-IN-THE-MIDDLE
9
MAN-IN-THE-MIDDLE
10
MAN-IN-THE-MIDDLE
Attempt 1: Android Wifi Proxy Settings
11
MAN-IN-THE-MIDDLE
Attempt 1: Android Wifi Proxy Settings (ctd.)
Instagram v6.18.0
25/03/2015
12
MAN-IN-THE-MIDDLE
Attempt 1: Android Wifi Proxy Settings (ctd.)
Instagram v6.18.0
25/03/2015
13
MAN-IN-THE-MIDDLE
Attempt 2: Ad-hoc WiFi Access Point
Instagram v6.18.0
25/03/2015
16
MAN-IN-THE-MIDDLE
Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v6.18.0
25/03/2015
17
MAN-IN-THE-MIDDLE
Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v7.10.0
05/11/2015
18
MAN-IN-THE-MIDDLE
Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v7.10.0
05/11/2015
19
MAN-IN-THE-MIDDLE
Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning
20
MAN-IN-THE-MIDDLE
Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning
21
MAN-IN-THE-MIDDLE
Attempt 4: Ad-hoc WiFi AP & Smali Bypass
22
MAN-IN-THE-MIDDLE
Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)
23
MAN-IN-THE-MIDDLE
Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)
24
SIGNATURE KEY PHISHING
25
SIGNATURE KEY PHISHING
signed_body=
0df7827209d895b1478a35a1882a9e1c8
7d3ba114cf8b1f603494b08b5d093b1.
{"_csrftoken":"423d22c063a801f468f2
1d449ed8a103","username":"abc","gu
id":"b0644495-5663-4917-b889-
156f95b7f610","device_id":"android-
f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}
HMAC
SHA256
26
SIGNATURE KEY PHISHING
signed_body=
0df7827209d895b1478a35a1882a9e1c8
7d3ba114cf8b1f603494b08b5d093b1.
{"_csrftoken":"423d22c063a801f468f2
1d449ed8a103","username":"abc","gu
id":"b0644495-5663-4917-b889-
156f95b7f610","device_id":"android-
f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}
HMAC
SHA256
27
SIGNATURE KEY PHISHING
28
SIGNATURE KEY PHISHING
HMAC
SHA256
Key
29
SIGNATURE KEY PHISHING
30
SIGNATURE KEY PHISHING
Source: http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/
c1c7d84501d2f0df05c378f5efb9120909ecfb39dff5494aa361ec0deadb509a 31
SIGNATURE KEY PHISHING
32
SIGNATURE KEY PHISHING
33
SIGNATURE KEY PHISHING
34
SIGNATURE KEY PHISHING
35
SIGNATURE KEY PHISHING
36
SIGNATURE KEY PHISHING
37
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
38
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
39
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
40
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
3. Test old (legacy code) & monitor new endpoints (fresh code)
41
VULNERABILITIES
42
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
43
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
# python subbrute.py instagram.com
instagram.com
www.instagram.com
blog.instagram.com
i.instagram.com
admin.instagram.com
mail.instagram.com
support.instagram.com
help.instagram.com
platform.instagram.com
api.instagram.com
business.instagram.com
bp.instagram.com
graphite.instagram.com
...
44
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
45
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
46
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
47
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
How to exploit?
48
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver of
http://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
and serve login page of https://www.instagram.com
c) Hope that the victim provides credentials
49
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
50
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
51
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
Domain=instagram.com httponly
52
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
53
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver of
http://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
while being authenticated to https://www.instagram.com
c) Copy session cookie & hijack session
54
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
55
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
Thank you for your reply. This issue has been discussed at great lengths with the
Facebook Security Team and while this behavior may be changed at some point
in the future, it is not eligible for the bug bounty program. Although this issue
does not qualify we appreciate your report and will follow up with you on any
security bugs or with any further questions we may have.
56
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
Thank you for your reply. This issue has been discussed at great lengths with the
Facebook Security Team and while this behavior may be changed at some point
in the future, it is not eligible for the bug bounty program. Although this issue
does not qualify we appreciate your report and will follow up with you on any
security bugs or with any further questions we may have.
57
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
58
INFRASTRUCTURE
Source: https://exfiltrated.com/research-Instagram-RCE.php 59
INFRASTRUCTURE
Source: https://exfiltrated.com/research-Instagram-RCE.php 60
INFRASTRUCTURE
$2500
Source: https://exfiltrated.com/research-Instagram-RCE.php 61
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
62
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
Subdomains Session
resolve to cookie
local IPs 10.* scoped to all
subdomains
63
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
64
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
65
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
66
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
67
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
68
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
Thank you for your patience here. After discussions with the product team and
the security team, we have determined that this report does not pose a
significant risk to user security and/or privacy. As such, this report is not eligible
for our bug bounty program.
69
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
Thank you for your patience here. After discussions with the product team and
the security team, we have determined that this report does not pose a
significant risk to user security and/or privacy. As such, this report is not eligible
for our bug bounty program.
70
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
71
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
72
WEB
3. Public Profile Tabnabbing
73
WEB
3. Public Profile Tabnabbing
74
WEB
3. Public Profile Tabnabbing
75
WEB
3. Public Profile Tabnabbing
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-
window-opener-location-replace/
We have previously been made aware of this issue and are in the process of
investigating it. Thank you for submitting it to us. Please send along any
additional security issues you encounter.
76
WEB
3. Public Profile Tabnabbing
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-
window-opener-location-replace/
We have previously been made aware of this issue and are in the process of
investigating it. Thank you for submitting it to us. Please send along any
additional security issues you encounter.
77
WEB
3. Public Profile Tabnabbing
78
WEB
3. Public Profile Tabnabbing
79
WEB
4. Web Server Directory Enumeration
https://instagram.com
80
WEB
4. Web Server Directory Enumeration
https://instagram.com/?hl=en 81
WEB
4. Web Server Directory Enumeration
https://instagram.com/?hl=./en 82
WEB
4. Web Server Directory Enumeration
83
WEB
4. Web Server Directory Enumeration
84
WEB
4. Web Server Directory Enumeration
https://instagram.com/?hl=../locale/en 85
WEB
4. Web Server Directory Enumeration
https://instagram.com/?hl=../LOCALE/EN 86
WEB
4. Web Server Directory Enumeration
https://instagram.com/?hl=../wrong/en 87
WEB
4. Web Server Directory Enumeration
88
WEB
4. Web Server Directory Enumeration
42 hits for
../<GUESS>/../locale/nl/
89
WEB
4. Web Server Directory Enumeration
Thank you for sharing this information with us. Although this issue does not
qualify as a part of our bounty program we appreciate your report. We will
follow up with you on any security bugs or with any further questions we may
have.
90
WEB
4. Web Server Directory Enumeration
Thank you for sharing this information with us. Although this issue does not
qualify as a part of our bounty program we appreciate your report. We will
follow up with you on any security bugs or with any further questions we may
have.
91
WEB
4. Web Server Directory Enumeration
92
WEB
4. Web Server Directory Enumeration
93
Application
WEB
DDOS
31/08/2015
There is one thing I'd like to add here. I have not tested this attack for obvious
reasons, but wouldn't the following request have resulted in a Denial of Service
attack?:
https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/random%00
https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/urandom%00
94
WEB
4. Web Server Directory Enumeration
18/10/2015
Have you already found some time to consider my last response?
95
WEB
4. Web Server Directory Enumeration
29/12/2015
Thanks for being patient. When we considered the initial report, we had already
accounted for the possibility of reading files such as /dev/random and
/dev/urandom, and the reward is still $500. The act of reading those files does
not significantly affect our infra-structure too much as we have systems in place
to deal with unresponsive servers.
96
WEB
4. Web Server Directory Enumeration
29/12/2015
Thanks for being patient. When we considered the initial report, we had already
accounted for the possibility of reading files such as /dev/random and
/dev/urandom, and the reward is still $500. The act of reading those files does
not significantly affect our infra-structure too much as we have systems in place
to deal with unresponsive servers.
97
WEB
4. Web Server Directory Enumeration
98
WEB
4. Web Server Directory Enumeration
99
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
{
"status": "ok",
"media": {
"organic_tracking_token":
"eyJ2ZXJzaW9uIjozLCJwYXlsb2FkIjp7ImlzX2FuYWx5dGljc190cmFja2VkIjpmYWx
zZSwidXVpZCI6IjYxNGMwYzk1MDRlNDRkMWU4YmI3ODlhZTY3MzUxZjNlIn0sIn
NpZ25hdHVyZSI6IiJ9",
"client_cache_key": "MTExODI1MTg5MjE1NDQ4MTc3MQ==.2",
"code": "-E1CvRRrxr",
(...SNIP...)
"media_type": 1,
"pk": 1118251892154481771,
"original_width": 1080,
"has_liked": false,
"id": "1118251892154481771_2036044526"
},
"upload_id": "1447526029474"
}
100
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Private
account
101
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Private
account
102
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Private
account
103
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
HTTP/1.1 200 OK
(SNIP)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
104
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Private
account
105
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
106
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
107
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Private victim account Public attacker account
(monitored by attacker) (generated right after monitor hit)
1yCwjTJRnk 1yCwodpTlC
1yC05mJRnq 1yC0_ApTlL
1yC5PqpRnu 1yC5UopTlX
1yC9nTJRnw 1yC9repTlk
1yDGULpRn9 1yDGaDpTl1
1yDKrvpRoB 1yDKvtJTl8
1yDPCCpRoI 1yDPHVpTl_
1yDTZGpRoO 1yDTdvpTmH
1yDXxRpRoW 1yDX1fJTmP
1yDgdBpRol 1yDgj6JTmb
1yDk1qpRop 1yDk6ypTme
1yD6mjpRpT 1yD6sCpTnL
1yEDSqpRpn 1yEDXYJTnU
1yEHpNJRpt 1yEHuTpTnc
1yEQWTpRqD 1yEQb3pTnw
1yEUtCJRqL 1yEUyJJTn5
1yEZEKJRqU 1yEZI3pToI
1yEdaxpRqe 1yEdfEpToO
108
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
109
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
110
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
111
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
After reviewing the issue you have reported, we have decided to award you a
bounty of $1000 USD.
112
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
113
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
114
WEB + MOBILE
6. Private Account Shared Pictures CSRF
HTTP/1.1 200 OK
(SNIP)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
115
WEB + MOBILE
6. Private Account Shared Pictures CSRF
HTTP/1.1 200 OK
(SNIP)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
116
WEB + MOBILE CSRF
117
WEB + MOBILE CSRF
118
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
Usertags Feed Authorization Bypass
119
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
120
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
After reviewing the issue you have reported, we have decided to award you a
bounty of $1000.
121
WEB + MOBILE
6. Private Account Shared Pictures CSRF
122
WEB + MOBILE
6. Private Account Shared Pictures CSRF
GET
instead of
POST
CSRF
attack surface 123
WEB + MOBILE
7. Email Address Account Enumeration
124
WEB + MOBILE
7. Email Address Account Enumeration
125
WEB + MOBILE
7. Email Address Account Enumeration
126
WEB + MOBILE
7. Email Address Account Enumeration
127
WEB + MOBILE
7. Email Address Account Enumeration
128
WEB + MOBILE
7. Email Address Account Enumeration
After reviewing the issue you have reported, we have decided to award you a
bounty of $750 USD.
129
WEB + MOBILE
7. Email Address Account Enumeration
130
WEB + MOBILE
7. Email Address Account Enumeration
131
WEB + MOBILE
8. Account Takeover via Change Email Functionality
132
WEB + MOBILE
8. Account Takeover via Change Email Functionality
133
WEB + MOBILE
8. Account Takeover via Change Email Functionality
134
WEB + MOBILE
8. Account Takeover via Change Email Functionality
135
WEB + MOBILE
8. Account Takeover via Change Email Functionality
136
WEB + MOBILE
8. Account Takeover via Change Email Functionality
137
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
138
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
139
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
140
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
141
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
142
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
143
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
144
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
145
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
146
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
147
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
148
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
149
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
150
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
151
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
152
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
153
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
154
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
Victim Attacker
Currently owns
victim account
155
Victim
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
156
Victim
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
157
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
Victim Attacker
Currently owns
victim account
158
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
159
Attacker
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
160
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
Victim Attacker
Wins!
161
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
After reviewing the issue you have reported, we have decided to award you a
bounty of $2000 USD.
162
WEB + MOBILE
8. Account Takeover via Change Email Functionality
163
WEB + MOBILE
8. Account Takeover via Change Email Functionality
Allow chaining of
secure account
links
Mail to wrong
email address 164
MOBILE
9. Private Account Users Following
165
MOBILE
9. Private Account Users Following
166
MOBILE
9. Private Account Users Following
167
MOBILE
9. Private Account Users Following
HTTP/1.1 200 OK
(SNIP)
{
"status": "ok",
"items": [
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "springsteen",
"has_anonymous_profile_picture": false,
"profile_pic_url": "http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-
xfa1\/t51.2885-19\/11370983_1020871741276370_1099684925_a.jpg",
"full_name": "Bruce Springsteen",
"pk": "517058514",
"is_verified": true,
"is_private": false
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": ["http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-xfa1\/t51.2885-
15\/s150x150\/e35\/11373935_872054516217170_419659415_n.jpg?"],
168
MOBILE
9. Private Account Users Following
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "pentesttest",
"has_anonymous_profile_picture": true,
"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",
"full_name": "rest",
"pk": "1966431878",
"is_verified": false,
"is_private": true
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": [],
"large_urls": [],
"media_infos": [],
"media_ids": [],
"icon": ""
}]
}
169
MOBILE
9. Private Account Users Following
{
"caption": "",
"social_context": "Based on follows",
"user":
{
"username": "pentesttest",
"has_anonymous_profile_picture": true,
"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",
"full_name": "rest",
"pk": "1966431878",
"is_verified": false,
"is_private": true
},
"algorithm": "chaining_refill_algorithm",
"thumbnail_urls": [],
"large_urls": [],
"media_infos": [],
"media_ids": [],
"icon": ""
}]
}
170
MOBILE
9. Private Account Users Following
After reviewing the issue you have reported, we have decided to award you a
bounty of $2,500 USD.
171
MOBILE
9. Private Account Users Following
172
MOBILE
9. Private Account Users Following
173
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
174
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
175
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
176
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
177
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
178
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
179
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
180
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
181
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
182
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
183
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
184
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
Hello again! We'll be doing some fine-tuning of our rate limits and work on the
service used for outbound calls in response to this submission, so this issue will
be eligible for a whitehat bounty. You can expect an update from us again when
the changes have been made. Thanks!
...
After reviewing the issue you have reported, we have decided to award you a
bounty of $2000 USD.
185
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
186
MOBILE
10. Steal Money Through Premium Rate Phone Numbers
187
CONCLUSION
188
CONCLUSION
# Vulnerability Category Bounty
1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0
2 Employee Email Authentication Brute-Force Lockout Infrastructure $0
3 Public Profile Tabnabbing Web $0
4 Web Server Directory Enumeration Web $500
5 Private Account Shared Pictures Token Entropy Hybrid $1000
6 Private Account Shared Pictures CSRF Hybrid $1000
7 Email Address Account Enumeration Hybrid $750
8 Account Takeover via Change Email Functionality Hybrid $2000
9 Private Account Users Following Mobile $2500
10 Steal Money Through Premium Rate Phone Numbers Mobile $2000 + 1
Total $9750 + 1
189
CONCLUSION https://www.letuschange.net
15%
Development (6)
46%
Design (5)
39% Maintenance (2)
191
CONCLUSION
Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks
#20/152 192
CONCLUSION
Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks
#3/13 193
CONCLUSION
194
CONCLUSION
195
THANK YOU! ANY QUESTIONS?
196