Published On: 10 May 2019
Admin/Editor can Takeover instagram account connected to the Facebook Page
Privacy/Authentication
Instagram | Web
---
MEDIUM VALIDDescription
There is an option in Facebook Page to connect an Instagram account to it. Admin/Editor are able to change sensitive information(email , phone number , username) of the Instagram account connected to the page which let them to takeover the account by changing the email/phone and then use the forget password to reset the password .
Impact
This bug allowed an Admin/Editor/Moderator to change sensitive information(email , phone number , username) of the Instagram account connected to their page which let them to takeover the account .
Reproduction Steps
Step
1
Setup
- Someone from the admin/editor has linked his instagram account to the page
- You are one of the Admin/Editor/Modertor of this page
Step
2
Step
3
An instagram account belong to some of the admin /editor is linked to the page .
As this account is not belong to you , you should enter the password to change any sensitive information like email , phone number or username !
Step
4
In the UI you are not able to make any change for the
- Phone Number
- Username
so how to change these Sensetive Information?
Step
5
Intercept the request using any proxy tool ( Burp Suite , fiddler .. ) , then click on Save button
Step
6
In the request and as you noticed , we are able to change the sensitive information so easily you can change the Email /Phone to yours then sending the request.
Step
7
These sensitive information has changed successfully so easily you can use the Forget password option to reset the instagram account password :) and don't be afraid from the 2 step verification were we changed also the phone number :) and you'll receive the code .
