'Nir Goldshlager' known as Facebook hacker and founder of Break Security , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical vulnerability in Instagram Oauth that allow an attacker to hack any account.
Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos.
Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog.
During his bug hunting Nir found loopholes in Instagram’s security parameters i.e redirect_uri , that allows attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx.
POC : https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token
In Second method, hacker Hijacks the Instagram accounts using the Facebook OAuth Dialog. "When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place. I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter."
Here attacker can use any domain in redirect_uri, next _parameter via the _redirect_uri in Instagram client_id to steal the access_token of victim's account.
Old Finding by Nir: