Fixed : Brute-force Instagram account’s passwords

Sameer Rao
Mar 5, 2019 · 2 min read

Description :
We can add an Instagram account to a Facebook Page having a role on the page as an admin or editor. Adding an Instagram account to Facebook Page will allow us to create Instagram ads in Ads Manager without needing to connect to the Instagram account to a Business Manager.

There is an endpoint to connect Instagram account through the mobile browser or “mbasic.facebook.com”

POST /Redacted HTTP/1.1
Host: mbasic.facebook.com

fb_dtsg: — sanitized —
jazoest: — sanitized —
username: VICTIM_INSTAGRAM_USERNAME
password: VICTIM_INSTAGRAM_PASSWORD
page_id: ATTACKER_PAGE_ID

Login Security:
Facebook uses a rate-limiting mechanism to protect the login request from being password guesses. I could attempt only max 20 wrong passwords in a day. If I exceed 20 attempts, it fired “too many requests.” and then a further request will be blocked.

What was Bug here?

At the endpoint, Facebook failed to block attempts over Victim Account on the server side.
The limit was 20 requests “each Facebook Account.”

Bypassing a Rate Limiting:

1 Facebook Account = 20 wrong password attempts were possible at a time.
10 Facebook Accounts = 200wrong password attempts.

At this point, I didn’t have a million user account’s to try out more attempts.

According to Facebook, we also can create a test account for Facebook applications.

[ref- https://developers.facebook.com/docs/apps/test-users/ ]
Each Facebook application can create 2000Test Accounts ( like one we can create using “/whitehat/accounts/”)

I created around 15 Facebook Apps.

15 apps x 2000 Test Accounts = 30,000 Test Users in a Single Facebook User Account.
I created 10 Regular Facebook User Accounts.
That mean, 10x30,000 = 300,000Test users

So Finally, I could attempt 6,000,000 passwords daily.


Timeline

Sep 21, 2018 — Report Sent
Sep 25, 2018 — Clarification requested by Facebook
Sep 26, 2018 — Clarification sent
Oct 3, 2018 -Triaged
Oct 3, 2018 — Closed as Informative( Impact is minimal)
Oct 4, 2018 -More details sent.
Oct 8,2018 — Triaged
Oct 26, 2018 — Ask for updates.
Nov 8,2018 — Fixed.
Nov 14,2018 — Bounty Awarded.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store