Instagram Email Verification Issue

Hey guys! So won’t be taking too long, its an year old bug i found in Instagram thought to share, The bug was very simple so not going too write much just simple PoC :).

Steps to reproduce :

1) Create an account on instagram with email “”

2) Login to account and change Email to “”

3) Click on the Verification link sent to “” this will change email of account to the old email which is “”

Which seems an coding misconfiguration what should happen that after click the confirm link email should change to “”

Attack Scenario : 

1) Attacker compromised user Email account “”

2) User came to know about email account compromise.

3) User change his/her instagram email to his /her new email def@x.con

4) User click on the link received at “”
but this changes email back to “” ( User dont know about this cause no notification at verify page )

5) User think he/she changed the email and he/she is safe now

5) Attacker request for reset password link of instagram account cause he compromised the old account already and compromise the instagram account.

Video PoC

P.S : Please ignore the video, i used to hunt on father’s pc those days :p 

Timeline :
22 Feb 2016 – Initial Report sent to Facebook.
03 March 2016 – Facebook Confirmed and Fixed the issue.
22 March 2016 – 2000$ Rewarded .

🙂 Started Facebook Bug Bounty again, hope i found something 🙂 

Leave a Reply

Your email address will not be published. Required fields are marked *