Instagram Email Verification Issue

Hey guys! So won’t be taking too long, its an year old bug i found in Instagram thought to share, The bug was very simple so not going too write much just simple PoC :).

Steps to reproduce :

1) Create an account on instagram with email “abc@x.com”

2) Login to account and change Email to “def@x.com”

3) Click on the Verification link sent to “def@x.com” this will change email of account to the old email which is “abc@x.com”

Which seems an coding misconfiguration what should happen that after click the confirm link email should change to “def@x.com”

Attack Scenario : 

1) Attacker compromised user Email account “abc@x.com”

2) User came to know about email account compromise.

3) User change his/her instagram email to his /her new email def@x.con

4) User click on the link received at “def@x.com”
but this changes email back to “abc@x.com” ( User dont know about this cause no notification at verify page )

5) User think he/she changed the email and he/she is safe now

5) Attacker request for reset password link of instagram account cause he compromised the old account already and compromise the instagram account.

Video PoC https://drive.google.com/file/d/0Bx2_guht6dHMeVN1UEtOSEY0N2M/view

P.S : Please ignore the video, i used to hunt on father’s pc those days :p 

Timeline :
22 Feb 2016 – Initial Report sent to Facebook.
03 March 2016 – Facebook Confirmed and Fixed the issue.
22 March 2016 – 2000$ Rewarded .

šŸ™‚ Started Facebook Bug Bounty again, hope i found something šŸ™‚ 

OCULUS EMAIL FORGERY BY MAILGUN SPF ENTRIES WORTH 1000$

** Stay Tuned to blog : I will soon public my another bug on Instagram worth 2000$ **

Hey Everyone ! Once again iā€™m here with my bug  on Oculus owned by Facebook šŸ™‚
Oculus information extracted from Wikipedia :-
Oculus VR, LLC, or simply known as Oculus, is an American virtual reality technology company founded by Palmer Luckey and Brendan Iribe, founded in June 2012 at Irvine, California.Wikipedia
What are SPF Records/Entries ?
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
What was the issue ?
I was looking for sub-domains of oculus.com then i noticed SPF entries of oculus.com which includes mandrill app , Sendgrid, Mailgun.
I thought that something may be fishy here, i registered an account on all the 3 services, I tried to claim oculus.com at mailgun and guess what the result ? DOMAIN GOT ADDED AND VERIFIED AND FULLY ACTIVE cause CNAME was also pointing to mailgun, i was able to claim probably because the service of oculus.com is expired from official account or they have never claimed it šŸ™
I reported it via Facebook via whitehat program ang got my first Bounty from Facebook which was 1000 USD  šŸ˜€
I will soon public my another bug on Instagram worth 2000$ šŸ˜€