Instagram Email Verification Issue

Hey guys! So won’t be taking too long, its an year old bug i found in Instagram thought to share, The bug was very simple so not going too write much just simple PoC :).

Steps to reproduce :

1) Create an account on instagram with email “abc@x.com”

2) Login to account and change Email to “def@x.com”

3) Click on the Verification link sent to “def@x.com” this will change email of account to the old email which is “abc@x.com”

Which seems an coding misconfiguration what should happen that after click the confirm link email should change to “def@x.com”

Attack Scenario : 

1) Attacker compromised user Email account “abc@x.com”

2) User came to know about email account compromise.

3) User change his/her instagram email to his /her new email def@x.con

4) User click on the link received at “def@x.com”
but this changes email back to “abc@x.com” ( User dont know about this cause no notification at verify page )

5) User think he/she changed the email and he/she is safe now

5) Attacker request for reset password link of instagram account cause he compromised the old account already and compromise the instagram account.

Video PoC https://drive.google.com/file/d/0Bx2_guht6dHMeVN1UEtOSEY0N2M/view

P.S : Please ignore the video, i used to hunt on father’s pc those days :p 

Timeline :
22 Feb 2016 – Initial Report sent to Facebook.
03 March 2016 – Facebook Confirmed and Fixed the issue.
22 March 2016 – 2000$ Rewarded .

🙂 Started Facebook Bug Bounty again, hope i found something 🙂