Shulou(Shulou.com)05/31 Report--

This article introduces the use of Device ID to achieve the re-hijacking of any Instagram account example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Through the use of the device number (Device ID), using the same user's mobile device to launch a violent guess, once again achieve the hijacking of any Instagram account, awesome! Because the damage degree of this vulnerability is relatively lower than that of the previous vulnerability.

Loophole principle

In the previous vulnerability, you can see that when a user initiates a password reset (Password Reset) request, the client mobile device initiates a confirmation code (Pass Code) request to the Instagram backend, as follows:

POST / api/v1/users/lookup/ HTTP/1.1User-Agent: Instagram 92.0.0.11.114 Android (27 Pro; tulip; qcom; en_IN; 8.1.0; 440 dpi; 1080 × 2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654) Accept-Language: en-IN, en-USContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateHost: i.instagram.comConnection: keep-aliveq=mobile_number&device_id=android-device-id-here

If you take a closer look at the above request, you can see that the terminal device number device ID is the unique identification number used by the Instagram server to authenticate the end user. When the user initiates the request with his own mobile device, the device number device ID will be included. The above request shows that the device number device ID is actually used by the Instagram backend to verify the identity of the user and then distribute the confirmation code.

What I want to say here is that device ID is a string randomly generated by the Instagram application according to the user's situation, so my idea is: what will happen if you use the same user terminal mobile device to initiate the above password reset request for different Instagram accounts? After my test, I found that the same mobile device will produce the same device ID, which can be used to initiate the above request for multiple Instagram users, so as to obtain multiple password reset confirmation codes corresponding to each Instagram user.

Vulnerability exploitation

Because the password reset confirmation code has 6 digits, it ranges from 000001 to 999999, with a total of 1 million probabilities. Therefore, when we use the same client mobile device to initiate a password reset confirmation code request for multiple accounts, it theoretically increases the possibility of account hijacking. For example, if you use the same client mobile device to request password reset confirmation codes for 100000 users, then because the Instagram backend will return the confirmation code to the mobile device, this will have a 10% success rate. Accordingly, if we ask for a password reset confirmation code for one million users, we can add one bit at a time to crack the confirmation code bit by bit.

Therefore, the attacker makes a violent request in the above way against 1 million users, and the success rate of obtaining the password reset confirmation code is absolutely 100%. In addition, we should also note that the confirmation code is only valid for 10 minutes, so the window for a successful attack is only 10 minutes. Combined with the infrastructure mentioned in the last vulnerability analysis article, the introduction of this vulnerability exploitation method can also achieve hijacking attacks on arbitrary Instagram users.

This is the example analysis of using Device ID to realize the re-hijacking of any Instagram account. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.