Fixed : Brute-force Instagram account’s passwords

Description :
We can add an Instagram account to a Facebook Page having a role on page as an admin or editor. Adding an Instagram account to Facebook Page will allow us to create Instagram ads in Ads Manager without needing to connect to the Instagram account to a Business Manager.

There is an endpoint to connect Instagram account through the mobile browser or mbasic.facebook.com

POST /PAGE_ID/settings/instagram_ads/ HTTP/1.1
Host: mbasic.facebook.com
fb_dtsg: — sanitized — 
jazoest: — sanitized — 
username: VICTIM_INSTAGRAM_USERNAME
password: VICTIM_INSTAGRAM_PASSWORD
page_id: ATTACKER_PAGE_ID

Login Security:
Facebook uses a rate limiting mechanism to protect the login request from being a password guesses. This means we can attempt only max 20 wrong passwords in a day. If exceed 20 attempts, it will fires message “too many requests” and then further request will be blocked.

What was Bug here?

At the endpoint, Facebook failed to block such attempts over blocking Victim Account on server side.
Limit was 20 requests “each Facebook Account”.

Bypassing a Rate Limiting:

1 Facebook Account = 20 wrong password attempts was possible at a time.
10 Facebook Accounts = 200wrong password attempts.

At this point, i didn't have million user account’s to try out more attempts.

According to the Facebook, we also can create test account for the facebook applications.

[ref- https://developers.facebook.com/docs/apps/test-users/ ]
Since , Each Facebook application can create 2000Test Accounts ( like one we can create using “/whitehat/accounts/”)

I created around 15 Facebook Apps.

15 apps x 2000 Test Accounts = 30,000 Test Users in a Single Facebook User Account.
I created 10 Regular Facebook User Accounts.
That mean, 10x30,000 = 300,000Test users

So Finally, I could attempt 6,000,000 passwords daily.


Timeline

Sep 21, 2018 — Report Sent
Sep 25, 2018 — Clarification requested by Facebook
Sep 26, 2018 — Clarification sent
Oct 3, 2018 -Triaged
Oct 3, 2018 — Closed as Informative( Impact is minimal)
Oct 4, 2018 -More details sent.
Oct 8,2018 — Triaged
Oct 26, 2018 — Ask for updates.
Nov 8,2018 — Fixed.
Nov 14,2018 — Bounty Awarded.