Steps to reproduce :
1) Create an account on instagram with email “email@example.com”
2) Login to account and change Email to “firstname.lastname@example.org”
3) Click on the Verification link sent to “email@example.com” this will change email of account to the old email which is “firstname.lastname@example.org”
Which seems an coding misconfiguration what should happen that after click the confirm link email should change to “email@example.com”
Attack Scenario :
1) Attacker compromised user Email account “firstname.lastname@example.org”
2) User came to know about email account compromise.
3) User change his/her instagram email to his /her new email email@example.com
4) User click on the link received at “firstname.lastname@example.org”
but this changes email back to “email@example.com” ( User dont know about this cause no notification at verify page )
5) User think he/she changed the email and he/she is safe now
5) Attacker request for reset password link of instagram account cause he compromised the old account already and compromise the instagram account.
P.S : Please ignore the video, i used to hunt on father’s pc those days :p
22 Feb 2016 – Initial Report sent to Facebook.
03 March 2016 – Facebook Confirmed and Fixed the issue.
22 March 2016 – 2000$ Rewarded .
🙂 Started Facebook Bug Bounty again, hope i found something 🙂