OkCupid: Instagram Authentication - No Request Token

ID H1:2965
Type hackerone
Reporter wkcaj
Modified 2014-03-21T21:00:48



On OkCupid, you have the ability to connect your Instagram account. This will sync any photos from your account onto your profile.

This is performed by browsing to https://www.okcupid.com/okphotos/okinstagram.html, which will redirect to Instagram for the user to authorise the request. Once done, you're redirected back to https://www.okcupid.com/okphotos/okinstagram.html#access_token=[access_token], with the Instagram access token in the URL. This then performed an AJAX request to /okphotos/apisync to store the token (and to sync the photos).

The issue with this is that no token is passed along, meaning we can send the https://www.okcupid.com/okphotos/okinstagram.html#access_token=[access_token] URL to another user (maybe via the message function), and therefore load our photos onto their account.


  1. Using account 1, browse to https://www.okcupid.com/okphotos/okinstagram.html, login to Instagram and authorise the application
  2. Copy and paste the redirected URL (https://www.okcupid.com/okphotos/okinstagram.html#access_token=[access_token]) and browse to it whilst logged in to account 2
  3. Browse to account 2's photos
  4. You should see the Instagram album has been added


The Instagram API provides a way of passing along a state parameter with the first request, which will then return it with the callback (see here http://instagram.com/developer/authentication/ for more details). I noticed that some requests send a authcode parameter (presumably for CSRF protection). This could be embedded in the https://www.okcupid.com/okphotos/okinstagram.html page, sent along with the auth request, then picked up from the URL fragment and sent with the AJAX request. This should prevent a CSRF attack.

If you need anymore info just shout, Thank you, Jack