Showing posts from 2016

Instagram - Account Compromise through Password brute forcing

Instagram application is not validating the number of requests made to login into user account, which made it possible to brute force the password of any Instagram user Account.
Issue reported to Facebook through their whitehat program, but unfortunately I am not the first one to do so. So the report was made duplicate and the issue is found to be fixed in few hours.
While brute-forcing, the application throughs an error in the response body, but sets an authenticated session cookie. So, once we refresh, the browser uses the newly set cookie and establishes logged in browsing session. The following is a video demonstrating the same (post brute force action, not the actual brute force).

Cross Site Scripting and URL redirection ...

Hi Guys,

Almost 2 years back I found a cross site scripting and a Dom based Open Url redirection bugs on a certain web site. Since the issues are still not patched, even after 2 years, I have decided to write a blog on them.

Cross Site Scripting: As per owasp, "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."
While testing, I ended up working on the support page pointing to . After playing around the site, I found that it is vulnerable to the reflected cross site scripting on the following url.…

How I could Delete Instagram Captions and Comments that are not mine,.....

Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB.

For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature.

Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected.
So while testing with both the App and Browser together, I realised that there is an authorisation flaw in the comment deletion action. But it requires certain comment ID values, which are (supposed to be) n…