Mysteriously Lost Instagram Accounts of July 2024

Mysteriously Lost Instagram Accounts of July 2024

Today I got some news from some of the people I know. It’s related to their Instagram accounts. Both of them are complaining that their Instagram account has been hijacked and started sending scam related posts using their profile. Furthermore, what is interesting is that cases has less information about how it could have happened? If you were to ask someone about their Instagram account being hacked, they’d probably tell you that it was a phishing attack. Or a directory attack, brute force. But it’s very unlikely that they can get hacked by just clicking on a link, right? Well, that’s what one of the people who thought that was the reason of his account was hacked.

When I heard that, I definitely didn’t believe it. That’s because clicking on a link is a very passive action. It can’t be enough to hack a big social media platform. From celebrities to politicans, they have a Instagram account. If it was possible to be hacked just by clicking on a link, they would be the first to be hacked.

Now, I’m do aware of CSRF vulnerabilities but they can’t be exist on a platform like Instagram. According to my research, Instagram has multiple defenses against this type of vulnerability, such as CSRF tokens. It’s a company that receives dozens of new reports every hour and fixes them in minutes.

Also, brute force and directory attacks are so hoary so even simple blogging sites have defenses against them. Some of them check for bot, ip address blacklist/whitelist or by using of cookies to block these attacks. Changing ip addresses can make it possible in a certain level to brute force a site at some level, but still, it’s still brute force in the end. Probably the last option in most of the scenes.

nyway after that, another person that I know told me that their Instagram account had been hacked. These people contacted me on the same day, and according to what they said, the hacks were done recently. He said that he had received an email about his Instagram account earlier, but he also mentioned that he hadn’t opened it at all. I kept checking the possibility of phishing all the time by asking if they had received anything asking for their credentials. NO, they said that they hadn’t received anything like that. Interesting that his account password or email didn’t change after he was hacked. I wonder if he uses 2FA.

Another thing that is interesting in both of the cases is the conclusion of the attacks. Their account is turned into a spam tool that also uses their name and pictures, targeting people who trust them. The action of the attacks looks almost automated. It doesn’t even care to block the

Another thing that is interesting in both of the cases is the conclusion of the attacks. Their account is turned into a spam tool that also uses their name and pictures, targeting people who trust them. The action of the attacks looks almost automated. It doesn’t even care to block the owner’s access to the account. Or does it? Here are my theories:

1) They have been professionally phished, without even realising it. Sometimes the phishing attack can be professionally designed. The victim’s awarnes against them plays an important role. Phishing is all about getting the user’s credentials directly from them by making them think they are logging into a service that is officially provided by the platform.

2) The recently released RockYou2024.txt dictionary contains some of the most common passwords that are also used by victims.

3) There is a zero-day vulnerability in Instagram. If that’s the case, the vulnerability should be explored and then fixed shortly after I publish this article. Even if that’s the case, it may be difficult or impossible to recover the hacked accounts. The fact that the second person also wasn’t sure how his account was hacked and the attacker didn’t change his credentials made me think that there might be a vulnerability. And that it might not be possible to change the credentials of people that are using 2FA.

4) If it is possible to get hacked just by clicking on a link, then it is most likely a case of session hijacking. What is that, you may be ask. Have you ever noticed how, once you’ve entered your credentials into a website, you don’t have to enter them again for a while, and yet you keep wandering around the site? That’s called a session. When someone clicks on a link or opens a new tab and goes to another website, that website may be able to perform actions by using their already open session. It’s as simple as sending a request from the web browser to the target platform. If CSRF somehow exists in Instagram, it will be a zero-day anyway. Because it’s so critical and should be fixed in matter of minutes actually.

It’s common for people to contact you when their Facebook/Instagram account has been hacked if you’re a tech guy. For me, I don’t even have an Instagram account at the moment, so I can only help them with my raw web hacking knowledge like XSS, CSRF vulnerabilities that are very unlikely to exist. However, if there is a zero-day exploit on Instagram, I will post this article before any news is released.

Also, did I tell you that I managed to find a vulnerability in Instagram at the age of 14? Fuck yeah! I work for the good of mankind anyway. I didn’t report it to Instagram also either. I don’t know if it has been fixed. It crashed the Android version of Instagram when users clicked on a user bio, nothing serious.

Comments are closed