How I Could Steal Money from Instagram, Google and Microsoft

in security •  8 years ago  (edited)

Google

A security researcher found vulnerabilities in Instagram, Google, and Microsoft enabling him to drain money from the companies. Here's how he did it.

Instagram: Link Account to Premium Number

Instagram supports linking a mobile phone number to an account, which allows other users to look them up in Instagram’s global address book. After entering the mobile phone number, Instagram sends a text with the 6-digit token:

Img

However, if one does not enter the code within three minutes on the following screen, Instagram will call from California:

Img
Img

This call would last around 17 seconds. The underlying request who causes this is the one outlined below in burp repeater:

The request to https://i.instagram.com/api/v1/accounts/robocall_user/ could only be replayed once every 30 seconds due to rate limiting. However, it was also noticed that Instagram would happily call any number that was supplied to them, such as a premium number of 0.06 GBP/minute in the UK registered via eurocall24.com:

Read the full post here, including details of Google and Microsoft attacks:

https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!