Kassem Bazzoun

Published On: 10 May 2019

Admin/Editor can Takeover instagram account connected to the Facebook Page

Instagram | Web

There is an option in Facebook Page to connect an Instagram account to it. Admin/Editor are able to change sensitive information(email , phone number , username) of the Instagram account connected to the page which let them to takeover the account by changing the email/phone and then use the forget password to reset the password .

Show Image


This bug allowed an Admin/Editor/Moderator to change sensitive information(email , phone number , username) of the Instagram account connected to their page which let them to takeover the account .

Reproduction Steps



  • Someone from the admin/editor has linked his instagram account to the page 
  • You are one of  the Admin/Editor/Modertor of this  page 


Entering to your page settings and in the left side choose Instagram section

Show Image


An instagram account belong to some of the admin /editor is linked to the page . 

As this account is not belong to you , you should enter the password to change any sensitive information like email , phone number  or username ! 

Show Image


In the UI you are not able to make any change for the 

  • Email
  • Phone Number
  • Username

so how to change these Sensetive Information?

Show Image


Intercept the request using any proxy tool ( Burp Suite , fiddler .. ) , then click on  Save button

Show Image


In the request and as you noticed , we are able to change the sensitive information so easily you can change the Email /Phone to yours then sending the request.

Show Image


These sensitive information has changed successfully so easily you can use the Forget password option to reset the instagram account password :) and don't be afraid from the 2 step verification were we changed also the phone number :) and you'll receive the code . 

Kassem 27 Apr 2017

Initial Report

Facebook 05 May 2017

Not the same UI Im not able to get to same UI as you. I don't have the option to edit the instagram as admin. All I can do is remove the account. Also your UI ju ... See More

Kassem 05 May 2017

Responding that this is a new feature .

Facebook 06 May 2017

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

Facebook 30 May 2017

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does n ... See More

Kassem 30 May 2017


Facebook 06 Jun 2017

Bounty Awarded Sensitive information should not be editable through this surface.