Using a phone number for password reset seems like a terrible idea in general, especially if you have SMS-based 2FA. Phone numbers are way to easy to social engineer, and if your second factor can reset your first one, you don't have 2FA.
Also if I am reading it correctly, it sounds like the rate limiting was being done per-IP, which sounds strange. Why wouldn't Instagram just allow a fixed number of tries (some low limit, like 25) from any IP before invalidating the code? I don't really see a scenario where it makes sense to have per-IP rate limiting here. I guess they are probably just using the rate limiting features which are built in to whatever framework Instagram is using for their API.
> Also if I am reading it correctly, it sounds like the rate limiting was being done per-IP, which sounds strange.
Seems to me that the main mistake was not rate limiting per account right? If you get 200k password requests for a single user something is severely wrong.
Or maybe they did and it didn't work, he makes reference to a race condition in the original post but doesn't elaborate.
He didn't really explain it, but I think what was going on is the rate limiting is done per account, and the race condition was a way to circumvent that. He has to make all the requests very quickly because the first thing all the requests are doing is determining if new requests for this account should be ignored. All the requests are received around the same time, they all make this check and decide they are valid requests, then they all report that an attempt was made for that account (locking it).
The rate limiting for IPs is probably global (not related to the reset endpoint).
I think you are dead on, yeah it’s the quick rate of large numbers of requests that avoid the per-account rate limiting. Curious how they resolved this— run all authentication requests for a given user serially and in a consolidated fashion at some point. Exclusive lock the relevant db record before checking the code and recording the failure?
Yeah, my first thought was make every attempt acquire some per user lock with a timeout. It's pretty much the same thing. Either one would have a negligible effect on legitimate requests and would solve the problem.
Could start by incrementing the value, then checking if it's below the threshold, similar to an atomic fetch_add operation. PostgreSQL has RETURNING clauses, SQL Server has OUTPUT clauses, etc...
Yeah it is hard. The enforcement would need to be done on a single backend. Not all users need to have their auth done by the same specific backend, but each user individually should always have their auth go to the same backend (or same concurrency domain, if distributed locking applies to the architecture).
Likely this is to prevent malicious attempts to block access to an account- I can definitely imagine someone trying to block a popular account by abusing the password reset mechanism. Imagine attempting to reset a password of a popular account by spamming the p/W reset mechanism, if the limit is per-account instead of per-IP then you could fairly easily deny access to any account.
If you use a sharded “eventual consistency” database cluster to store the number of reset attempts per interval, then sufficient IPs can be purchased to overwhelm your “eventual” threshold unless each reset attempt compels consistency before evaluating whether the limit is reached. That would qualify as a “race condition” in language terms, even if not being the classical sort of one considered such by programmers, and present the easy described fix (take a consistent read lock rather than an inconsistent one or none at all) when checking the rate limit.
Also for people who don't have mobile phone signal at home (hello us), it's almost impossible to use these 2FA systems. There are a few systems including the UK government's own "Verify" scheme for submitting tax returns that I quite literally cannot use.
Not that mobile phone 2FA is actually secure. Fraudsters in the UK have discovered that it's possible to take over phone numbers rather easily because that relies on the phone companies' own systems which are (predictably) insecure.
My understanding is that "WiFi Calling" involves having your phone set up an IPsec tunnel (authenticated by your SIM) with your carrier, and then transferring essentially the same packets over that as would be transferred to the cell tower. I think that includes SMS traffic along with everything else.
(IIRC, the 3G and LTE versions of the tunnel carry traffic at different layers of the protocol stack, but in both cases being able to handle SMS and similar non-Internet features is part of the goal. As is being able to handoff between wifi and cellular transports in the middle of a call — I have no idea how well that works in practice.)
> Why wouldn't Instagram just allow a fixed number of tries (some low limit, like 25) from any IP before invalidating the code?
This could makes it very easy to perform a DOS attack against a user. You could constantly send failed attempts and make it impossible for the user to type in the real code before you invalidate it.
I have turned off phone 2FA on all services that permit me to do so after getting hacked by someone using that exploit. Typically I use Google 2FA via Authy or Authy itself
Yes, you have to disable “multiple devices”. You just have to remember to re-enable it if you want to install Authy on a new phone and reinstall from backup.
I've been using Google Voice for that purpose for years, and it has been perfect. The phone number that is for 2FA only, shouldn't be as easy to social engineer your typical telcom, since it is all controlled from within my Google account, and I get immediate security notifications if something fishy is up.
That's a great plan, and it definitely reduces your risk to being exposed to SIM hijacking. Unfortunately, I suspect services that enforce poor security standards are probably not following best practices in their backend either. This means your secret number stops being secret if their database ever leaks.
It's still better than using the same number as you use for everything else, but it's important to understand the caveats.
I used to work at a cell phone company. One day I needed to change my SIM card so I call up the help desk :
"Hi I have a new SIM card, can you please activate it?
— Sure what's your number and IMSI?
— My number is ..., the IMSI is ...
— OK done"
And so, just like that, I took over someone else's phone number. Not on purpose, but the guy made a mistake punching in my number, didn't verify my identity, and ended up assigning someone else's phone number to my SIM card. I called the guy back after realizing that I wasn't getting calls and that the people I called thought I now had a new number.
Granted it was a while ago but the experience gave me a very low opinion of SMS for 2FA.
Friend of mine walked into a mobile phone store to do pretty much the same thing and he was also extremely surprised that they didn't ask for any extra info or ID. He did get the correct number, though :)
The first type of attack that should come to mind with SMS-based 2FA is SIM cloning. Identity question answers can be purchased off the dark web from previous leaks. Also, social engineering is notoriously effective against several of the top carriers, who lack effective identity validation. Lives have been ruined.
Is this reset mechanism conceptually flawed? Even with one attempt before invalidating the code, you have a 1:999,999 shot of stealing someone's account by lotto. Not bad odds for an automated process.
It's like every account on Instagram has an alternative six digit password.
You are right. Betting everything on a 6 digit code surely is a mistake. For example, try same code on a million different account, and you definitely get access to atleast 1 of them. (Considering they are using a good random generator)
Sony was using 8 characters of alphanumeric at one point. They reduced it to 6 digits. It turns out that the chance of guessing six digits successfully given one or two tries only is low enough to satisfy human beings when it comes to “annoyance versus protection”, especially when codes expire after a couple attempts.
Yeah that is if they limit attempts and put code expiry in place which instagram did not have and as well it's missing warning systems for users as well as a temporary locking mechanism for such a feature if fraud is detected by the user.
Those limits are more important to personalities than a lambda user.
Problem with alphanumeric, is you have people from foreign countries who do not even have an english keyboard installed on their phone. Default is probably their native language and they do not care to add a secondary or switch.
Is that a thing? Domain names, email addresses, passwords all tend to require the latin character set. Here in Japan I can't remember seeing a single site that uses kanji passwords.
I spot-checked some of those IPs in the video, and it appears all of them are on Amazon. So, what does the attacker's stack look like? Is it a bunch of servers running PHP and listening for a connection to run curl? Or Lambda functions configured to proxy the connection attempt to IG? Curious how much effort goes into setting up an attack like this. It's surprising (to me) that so many IPs can be used for so little money.
I've done scraping distributed over many IPs. I used luminati, bought X IPs, ran a bash script to download all IPs to a file, read the file in from python and spit out a new thread for each IP. Just used as a proxy, all activity was controlled by a single server.
Re Amazon, I've done that too and the way it works is you start up an EC2 instance that does the work and sends back info. In my case I sent the info to an S3 bucket and then pulled all the info from that bucket elsewhere once all the machines finished. Ultimately you pay for what you use, and if you only use an hour across a ton of machines and use the cheapest machine it's pretty cheap.
FYI: luminati will give you unlimited bandwidth for like $1/IP/month.
Worth noting that price is for datacenter IPs - residential ones are much more expensive and I’ve heard that IG is rejecting more datacenter traffic as of late.
Is this the company that offers a free VPN extension and pays for it selling those people machines bandwidth? I always thought their business model is way too shady to be legal.
It's very easy to terraform 1000 nano machines on ec2, as he said it wouldn't be expensive at all. In fact, he estimates $150, but for 1000 nano machines for 10 minutes i believe it's under a dollar. Possibly nano machines aren't powerful enough to spam the verify endpoint enough
200 curls can be ran from any ec2 instance. there is literally no overhead.
personally i would spin up a million lambda functions and just see what happens. each one def wouldn't get its own ip but maybe you would have good coverage?
> Docker doesn't help distribute requests over IPs
That depends on your orchestration. AWS provide several tools for running Docker without having to maintain your own EC2 hosts.
> You can easily set up a launch configuration for EC2 that runs a script or program... But with a bit more work lambda will save a lot of money
You could do that via a launch configuration but that would be a pretty naff way of doing it. Baked AMI would be easier but personally I'd prefer ECS (Docker) or lambda. Cheaper, quicker to deploy, lower ramp up times.
Ultimately though, there's no wrong way to do this - just personal preference.
Yeah for sure, a few attempts isn't a problem IMO, even only say 6 digits there's too many permutations.
> I have used 1000 different machines (to achieve concurrency easily) and IPs to send 200k requests (that’s 20 percent of total one million probability) in my tests.
I'm just surprised nobody looked at a dashboard and said "huh this account is getting 200k requests", surely that should be raising red flags?
How many requests does IG handle per second? I am not even going to guess a number but I am sure 1000 specific requests would drown in that. So you would need a dashboard that specifically visualizes this kind of thing. Do that and you are now protecting yourself in one type of scenario. But there are endless other scenarios that you still wouldn't see.
I'm sure IG gets several orders of magnitude more than 1000s of requests per second. Even if a dashboard existed visualizing excess request traffic per route per user, when you're talking about this kind of request volume, there is an indexing lag + a reporting lag + alerting lag (assuming there is alerting on this specific scenario on top of the dashboard) + human or automated response lag. It sounds like this attack could be completed in minutes rather than hours or days, it's feasible that it would have succeeded well before anyone got around to mitigating it.
But once you know that this is a specific attack surface, it's far easier to limit the surface (fix the problem) rather than build a dashboard that a human has to monitor perpetually.
I'm surprised that it's limited to just numbers. Introducing letters and symbols would significantly increase the number of permutations and decrease the odds of a successful brute force attack.
I quite recently learnt about “Residential proxies”, for a scraping idea I had. Seems like that can be useful for attacks like this.
It’s surprisingly cheap to get access to services which fan out your requests over millions of normal residential IPs, making them (I assume) hard to block.
Of course their use can be highly objectionable, as well as how they got the proxies installed in homes of people in the first place (semi-malware?)
lol... The first sentence below definitely doesn't belong. The second outlines the legitimate use case.
> Hackers and fraudsters use various schemes to fake ad traffic and, as a result, a vast number of ads are never seen by real people. Therefore, more and more companies use proxies to detect fraud, improve ad performance, and check advertisers’ landing pages anonymously.
Is there actually a legit use though? Like what's the use case for needing a million residential proxy IP's to legitimately test and evaluate advertising?
There are several of these providers, and the only one I noticed saying how they acquired the IP's was Luminati [0]. I didn't look too carefully on all of them though.
> When these application vendors integrate the Luminati SDK, their users are offered the alternative to not watch these video ads in return for opting in to the Luminati network.
I believe "Hola VPN" did something similar as a browser extension. (You join our free VPN, you act as a node in our commercial residential IP pool (botnet).)
Pretty interesting that distributed circumvention of rate limiting has to be considered its own class of vulnerability nowadays. I would think (of course) many other services are vulnerable. Rate limiting is hard.
Could someone explain how this person is allowed to do that type of testing (sending 200,000 requests)? How would Facebook know he is a white hat and not a black hat?
I would be interested in starting to try some of these programs, but a bit scared I'd be doing something illegal... Where is the line?
The actual "bug" is that Facebook did not have sufficient controls in place to even detect this type of brute-force attack, much less make it impossible to attempt in the first place. Facebook seems (IN THIS INSTANCE) to have appreciated the white-hat nature of this and awarded the bug bounty, but it very well might not have. And certainly other organizations don't take nearly as friendly stances. Generally, I wouldn't bet on most organizations seeing brute-force attacks as in-scope for bug bounties - this is by no means legal advice though.
They have a bug bounty program that gives you permission to do certain kinds of things and it not be illegal since you’re planning to report anything you find (and get paid for it)
So a bit of a strongly worded title. I'm going to nitpick for a second.
First you need the device-id, second you need the code that will be sent via text.
The code sent via text is 6 digits meaning 10^6 == 1MM permutations. He shows how he can enumerate these using 1K IP's ultimately bruteforcing the reset code.
The Device ID is still not captured although I'm guessing they allow handwaving via a malicious app or something of that nature.
Credit where credit is due, he cleverly enumerates them concurrently across 1K IP's and earned his bonus.
Interested how they fixed it...guessing adding a random session guid in the url and maybe increasing entropy && length of the secret.
He's doing the password reset flow from his own device, and receives a link to the form containing the session id and his device id. He doesn't need to bruteforce those.
Instagram had a limit on the number of times that the user could guess the code, but they had a race condition that let the limit be bypassed. The fix is for them to fix the race condition.
Seems like a lot of improvements could have been made here. After you get the code wrong, it should reset and send you a different code. If you get more than 3 wrong in some pre-determined time, it should lock the person out for some other pre-determined time. You could even use exponential backoff time in both scenarios. Keeping the code the same after getting it wrong just seems really stupid.
Mathematically, does regenerating the code make a lot of difference?
You can simulate that by running a loop that generates a random 4-digit number in each iteration and randomly guessing it.
On average, you will guess the number after 10,000 iterations. It doesn't help that you regenerate the number each time. Your chance is still 1/10,000.
Nice find, but the original author has no idea what race condition means. This isn't race condition, it's just brute force combined with per ip rate limiting avoidance.
"Because the market has decided that hacking top tier instagram accounts is worth a low seven figures, here is your $1,000,000 payout to save you the time, effort and liability of monetizing this yourself"
And? How much are you going to pay for a script that lets you steal inactive Instagram accounts that you will then go on to sell on a grey market? You're not going to do it yourself, because when (not if) it's discovered how this happened, there will be an investigation, and you'll get caught, lose all the money you "earned" in legal fees, and (bypassing a login screen is textbook, right-in-the-strike-zone CFAA) spend months in prison. So you have to sell it to someone. How much are they paying? How many buyers are there for it? How long do they get to assume the script will keep working? The more people you sell it to, the less time each of them have to run it. And: when they get caught, if you've sold to several people, there's a significant chance you're going to get caught.
the hijacking happens on the grey market because there is no reliable escrow agent and its already against the terms of service of IG
you don't need this script to find the accounts, you would use it when you promised to buy or sell an account and hack the phone number based 2-factor
to either assume control of the account without paying, or steal it back
but if you did want to scale this up to stealing normal user's accounts, stealing instagram accounts is merely a factor of changing the email address twice and then the account name.
after which the original owner knows their account got stolen but has no record of the account lol, because they don't know the account ID, just the old username and email address which is super gone and doesn't match any record. you won't get caught primarily because there are too many barriers of entry for someone to take it seriously enough to investigate.
Thanks for chiming in, the people on hackernews often want an easily google-able peer reviewed study on some stuff thats private for a reason
Its lazy to derail a discussion with “I didnt see it so SOURCE! Ha Im so right about everything your whole argument is invalid”
instead of
“oh thats a problem what can we do about that” especially when unsubstantiated nonsense isn't really a big problem here, while completely misunderstanding problems and solutions is what this forum gets laughed at about
This isn't answering any of the questions I asked, except that you think "you won't get caught because nobody will take this seriously enough to investigate", which is true if nobody makes more than a couple thousand dollars doing this, but not true if someone manages to make, like, $100,000 doing it.
> but not true if someone manages to make, like, $100,000 doing it.
narrator: people make $100,000 doing it.
Your question? This one?
> How much are you going to pay for a script that lets you steal inactive Instagram accounts that you will then go on to sell on a grey market? You're
But this isn't what anybody is doing. Nobody is trying to do that. Nobody is lurking in the bushes for inactive accounts. People hijack ANY account they please, which usually has some nice level of attention on it. Assuming control of account properly leaves no trace of the account to the original owner. NOBODY would be able to distinguish a stolen account to a newly organically built meme account for sale. You nor an investigator would know if the current seller is the hacker too. Its impossible to answer your question for these reasons.
I'll try to answer it: I'd probably pay $500 because I don't really keep track of the dollar value of my cryptocurrency balances on Empire Market or Nightmare, since code and documents aren't illegal goods and Department of Justice has said time and time again that they aren't going after consumers even if my OPSEC was broken (I use Monero exclusively, not transparent cryptocurrencies like Bitcoin). I just kind of buy anything that looks somewhat interesting and somewhat exclusive. Otherwise I'd really just wonder why the code isn't on github already for me to just clone and move on.
You'd pay $500 for it. Let's round that up to $1000, double what you said you'd pay for it. And: I'll buy that you could get that much for it! Now, this researcher got a $30k bounty from Facebook, so, to beat that on the black market, he'd have to sell a tool --- knowing full well what it'd be used for, and facing the daunting task of trying to talk a jury out of that obvious fact --- to thirty one people who will then do god knows what the fuck with it, all of which he will be an accomplice to.
This is a bad business plan. To see why, just Google "Marcus Hutchins".
Marcus Hutchins took a plea deal so we'll never know. The first article on the Washington Post was about why the charges such as "conspiracy to violate the CFAA" are a stretch. With that in mind, there basically isn't someone to Google, and no case law. Are we even still talking about the now-patched brute force guessing of a 2-factor code, because now you're gearing up to dissect a legal review that will fail any equivalency and has no case law whatsoever. Classic internet discussion.
Now back to the practical reality: You wouldn't get caught selling it on darknet. You would just post in the forum and 31 people would buy it for $1,000 in a few days. Have you even used darknet? Have you ever used Monero? Have you ever done an obligatory cleaning of bitcoin just because you dont know what THEY did with it? You are trying to support your position so hard by making all of this stuff sound so unfeasible when its exactly what goes on every day.
You would sell it for a premium JUST BECAUSE the earliest clients will do "god knows what the fuck with it". That would be the literal sales pitch! Accomplice? Ehhh maaaaybe but not really a concern.
and even with all that, you're missing how much the customers would make. these are the ones incurring the most liability and they use clearnet and still wouldn't face real consequences.
you're missing how the exploiter would do it themselves before considering selling copies of it, which is what I was alluding to. the exploiter would already understand how to control and monetize instagram accounts and make several hundred thousand dollars, or millions over time. A 500k follower meme account with 3% engagement could make $1,000 per week from promos if you worked at it, and be sold for a revenue multiple. Take a bunch of those. Rinse, repeat.
you're inventing viable business plans trying to argue with me, its wild.
and Facebook couldn't see any evidence this hack was worth $30,000 until there was video evidence and a detailed description given to them exclusively, with no information on message boards of articles to put it in the collective conscious, or “peer review” publicly. so does your perception matter? anyway I detailed how the instagram economy works in one of my other comments
Also it wouldn't be temporary access lol. When you take over an instagram account you change the email address and the username twice, the person you took it from gets the alert email for the first change, the second email gets the alert for the second change to the third email address. The original owner doesn't know what/where the account is anymore.
It's not "worth" $30,000; it's probably worth much less than that. The $30,000 has a much more powerful marketing function than it does intrinsic utility.
It's temporary access because you can trivially write a tool that goes through Facebook's audit logs to find out which accounts have likely been taken over using this tool, which is something Facebook would certainly do if there was evidence that people had been exploiting it at any kind of scale.
A big chunk of my last year has been in ATO detection and mitigation and I think you'd be surprised what kind of dumb stuff generates serious investigations from companies with far fewer security team resources than Facebook.
it would not be that profitable anyway after factoring server costs. say you hack into one celeb account. Instagram would immediately recognize the problem and fix it. but until they fix it, maybe you could make a few hundred dollars promoting some crpyto thing. Who knows. .s Instagram does not allow live links and suppresses posts that look like ads, so instead of being seen by millions of followers is only seen by thousands.
accounts are basically worth an additional $100 for every 5,000 followers, multiplied by engagement percent. ie. 1% engagement account with 5,000 followers would be worth around $100, 2% with 5,000 followers worth around $200. forget accounts with high heat (A and B-list celebrities), people flip meme and inspirational accounts ALL DAY. (this a simplistic scale from how I've seen the opening bids be set, and the negotiations I've had).
when when you aren't flipping and suddenly rebranding accounts, you get ROI by doing promos which have a fairly fixed cost. $10 to post about someone else or tag them in a story. the better your account is, the more you can charge and the less time you have to show someone. with stories you can stack promos all day and break even on an account in a week.
you get ROI to break even very quick.
(a hacker or phish may try other things like scamming D-list model's thirsty followers in Direct Messages.)
> maybe you could make a few hundred dollars promoting some crpyto thing
false. you'll get 2% of the entire currency pre-mined and minted straight to you, 3% of the funds raised, and upfront fees in the low five figures.
and if the crypto is post-launch, you'll get upfront fees, a lot less tokens, and then the hundreds of thousands you'll make pumping it if people bite. otherwise, you have to buy yourself and hope you can pump it, and if you are poor thats the only way you'll wind up with "just a few hundred dollars promoting some crypto thing"
yeah leave this to the pros and imagine people are still just buying fake followers or something relevant half a decade ago.
honestly, I feel like Facebook should be acting as an escrow agent and taking a cut of the promos and account sales. Would be safer for participants and lucrative for FB.
>In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.
no, it does not have nearly that many. I think they only have 100 or so. IPs are expensive. It would probably cost thousands of dollars to pull this off.
Also if I am reading it correctly, it sounds like the rate limiting was being done per-IP, which sounds strange. Why wouldn't Instagram just allow a fixed number of tries (some low limit, like 25) from any IP before invalidating the code? I don't really see a scenario where it makes sense to have per-IP rate limiting here. I guess they are probably just using the rate limiting features which are built in to whatever framework Instagram is using for their API.