The Tales of a Bug Bounty Hunter

lunch is going to start at twelve-fifteen Renee varney his entire time going to all give a warm welcome to Arnie hi there I tend to break things sorry so uh my name is Arnie and this one is a bit high and has been announced before I will be talking about some books I've hunted in Instagram so as you might have heard I'm not the native English speaker I'm actually from Belgium 26 years old so apologies for my mistakes that i will be making throughout this presentation I have been informed by a colleague of mine that i should say thirds not dirt for some reason so I'll try to pay attention to that certainly if you notice please

point it out to me so for politeness reasons you probably never heard of me but if you did it might have been because of a presentation i gave at black hat two years ago in in 2014 about a pecker I made that could evade antivirus antivirus in general also i'm one of the founders of an event in belgium the cyber security challenge i don't know if you guys have such an event here in United States it's like capture the flag competition but nationwide for students do you have anything like that yeah how is it cold here it has no name sorry ccpc okay cool well indeed in belgium we we also started out started this off last year

and this year it's coming up again in a couple of weeks actually but enough about me you're here for some technical content so our first start with a brief introduction of a bug bounty hunting and instagram which i think you probably already know i'll go over the technical setup that i had to overcome in order to be able to really do some decent penetration testing on on instagram and last but not least i'll go over all the a couple of vulnerability that found 19 divided per category so why bug bounty hunting any bug bounty hunters in the room see a couple of hands basically I've been telling myself since 2012 and major bug bounty programs

came to light that I wanted to do this but I never made time for this so bug bounty hunting it's cool it's cool it's a it's like capture the flag which I which I tend to like and of course you can win some money with it so it's also a nice a nice extra feature i did this hunting last year mainly also a in beginning of this year spends around five to six weeks on this but I have a full-time job so this was mainly during vacations which my girlfriend only appreciate it up to a certain level right instagram in Europe it's not that's well known but I'm assuming that many of you have an Instagram account

who who does not have an Instagram account maybe lips ah ok me neither cool nice no but why did I chose Instagram basically I looked around for write-ups of books fountain Instagram and I didn't find too many when I started back in April so figured or it must be a very secure product or it might have some bugs that have a viet have yet to be to be uncovered so instagram what you need to know for finding bugs it's really a very simple access control model so you have public account you have private accounts public accounts if you upload a picture everybody can see it a private account it remains private for you that's a very simple so it was easy to

start off with now first of all I have to overcome some technical hurdles in order to be able to decently penetrate penetration test this this product which I'll go over with you now so just to be to be clear I I don't have an instagram account never had one never used it so what do you do you go to the homepage and you find out how the program works so I wanted to register an account but that's only possible through a mobile app so intagram it's really mobile app oriented so you have a the first appt was on iOS and shortly afterwards Android followed and most of the the bulk of the functionality is in the

mobile apps you can't even register on the web now a couple of months ago day they did at register to their website but back in the days in april i couldn't so when i had done an actual android basically have a bit more experience in my day-to-day job a security consultant with testing android and iOS and I feel bit more comfortable with it also iOS just worked but not always as you have seen so that's why I went for Android and initially if your bug bounty hunting a product on the application layer what you want to see is communication going back and forth between the client and the server obviously so you set up a

proxy in in your in your Android system settings you add your certificates of your intercepting proxy in my case burp suite pretty well-known product I think they all sort of wasps up and go over there but unfortunately this was a this was not working for Instagram they are basically ignoring the proxy settings of the operating system so I didn't see any any traffic in my burb only well I doesn't wit with my own with browsing to my own blog and that work but no traffic is visible from Instagram itself so it was a small disappointment no quick win so I had to go the extra mile for this and basically the approach I took was I

set up an ad-hoc Wi-Fi network to which my testing device with the instagram app connected and i routed the traffic through my macbook here was my bird feet running looking at the traffic and my macbook received internet from my personal device which was then connected to the Wi-Fi now you could also suggest that why don't you just plug in a network socket in your macbook but most of this testing or some at least some of these testing was performed next to a swimming pool on vacation and they don't tend to have wire texts there so that's why i use the personal device as a as a route with USB tethering obviously here all traffic on port 80 and 443 of the epic

Wi-Fi network was redirected to localhost 8080 Weber was running so finally I could I could inspect I could see traffic coming true you can see a request going to idle instagram.com so yes yes we can looking at the traffic that was a second hurdle so here it's a bit bigger it's a login requests so to idle instagram.com a PIV one account login and if you look at the parameters you can see two parameters actually 60 version 4 and sign body now zooming in on sign body one could notice okay it has two parts 64 characters a dot and then a JSON array which contains the input that I gave username ABC password ABC among with some device identifiers

from my testing device but basically if I modified any of these I would get a response your version of Instagram it's out of date so they have some protection they have some some signature being calculated over the the payload that the mobile application is generating really to prevent security testing so this might be one of the reason that not a lot of books were found as of now in Instagram I investigated this a bit and actually the algorithm that they use is an H Mac which are 265 and a secret key embedded in and mobile and instagram for android application and they also they rotate the key every every release so it's not it's it's a hurdle so what do

you do when you need a key that is embedded in in some kind of binary you go fishing indeed let's go fish the key so i went ahead some ID compiled the android application the APK d compiled it back to the their java code or something that looks like this and i found some clues on where this signature is being generated because basically what we want in the end is to be able to also calculate this signature and so that we can modify traffic and recalculate it so i found a hint get signature string it's not that it's not very obvious cape but unfortunately this is a native function it's not implemented in Java but it's a native

function implemented in some native libraries that were included search you see here that they are loading the library scrambler and strings which corresponds with two libraries that are also included in the APK lip scrambler daughter so and lips wins or so so i went ahead and and d compiled these libraries and mainly the function in lip strings the get signatures string I used hopper for this because it has a free trial of 30 30 minutes so it was also convenient either provide a bit more expensive so that's why I went this way and here indeed you have get signature string here you have the calculation of the H max shafto under 65 and here the

key that is being used to generate is coming from the other library that was loaded scrambler get string so I was like okay I'm really close this is the function that serves the key so I just must must have a go with this function and I'll get the key this is the implementation of the function it's pretty dynamic it's not like a hard-coded embedded string that that is being returned now it's being calculated and there's some some more calls to some other similar sub functions so this was not as easy to fish as I would have thought now I had the ID to really make a key generator out of this but because they they they change the key every

every version should have been a lot of work so when I happened took another approach I used hooking framework called freedom anybody heard of Frida before okay it's pretty new you also have some other hooking frameworks from Android you have exposed you have Cydia also for iOS but frida is really the new kids on the block that also supports hooking of native functions whereas the other two they have some support for it but it's it's not it's not as stable as a soaking Java functions so when I have implemented this tiny little script that hooks scrambler get string function and just outputs it on returning so it's really hooking the native library and then i went ahead run

this script try to login again so to trigger a calculation in instagram app and it spits out the key that we need very long key of course I was not sure if this was the key so I go I went ahead so i took my payloads i took the key calculated the h mac and indeed if you remember this is indeed the signature that was a it was in the original request so yes another tiny success now we are not there yet of course we have the key but what you really want to do is to be able to in our intercepting proxy to modify up some some data in a payload forward it and that it would be

accepted by instagram servers so i went ahead and implement extender suburb extension so plugin which mainly basically hooks all outgoing requests it checks okay is there a sign body parameter in there if yes recalculate the signature over the new payload and hop Patchett's and greeting is verb supports global hooking so this hooks requests go coming out from all the modules not only the proxy or the repeater to but also the intruder in the scanner which proved to be a very very helpful for for penetration testing later on so yes this took me about two weeks not a single vulnerability seen no money earns just overcoming technical hurdles but yes finally I could start penetration testing another thing I

would like to share another technique it was actually it's pretty well known as if you decompile the APK from instagram for android you can see that the strings are not obfuscated it there the function names they all get a random names they're like a and B but the strings itself they are not sophisticated and the swings it cells are very helpful to discover all the end points that are present in the application so you can see account login here account change password users look up there's there's about 200 actually a good thing is old a old version of apks are being stored on a several websites so this allowed me to download all the old

versions grep out all the endpoints and to compare thee so actually I was I was keeping track of new endpoints that were being at a tube yeah no new functionality is always more interesting to to give it look right so here you can see a diff from version 7 denver's vs 7 top 90 to this is actually from November and already then you could see some endpoints related to two-factor authentication they publicly launched it one week one or two weeks ago but back in November it already appears in a mobile mobile Instagram for android app so that's that's interesting for me to be ahead of a of my of my game right so that's the technical hurdles finally I

could start testing and now the interesting stuff starts first of all I found one vulnerability related to infrastructure basically what I did this in all of these bug bounty programs the scope is the scope fairies for example paypal only allows you to attack website so it really must be in paypal com sub domain of Labor Law School maybe Facebook is a bit more wide so they just say Instagram is in scope and go ahead on and try to find something that is relative relevant so I went ahead and started brute forcing subdomains because a subdomain of instagram.com is also interesting to a target and there's an open source tool which I did not make but it's very good sub route so I'm get

up in Python and I went to happen and enumerated discipline ease now what came out a whole lot came out so they have a lot of a lot of subdomains and I went over each and one one that struck me as interesting was graphite old instagram.com never heard of graphite so I decided to dig a bit deeper and at a time when I found this in June graphite don't instagram.com resolved to an internal IP address then looked 213 6521 which does not seem right okay so it's a public dns server that is saying okay this subdomain is reachable on the internal IP address pretty weird and graphite i did not know this name so i

simply googled it and the first hit on google was pointed me toward direction of the engineering block of the developers of instagram basically graphite is a tool that they use to monitor a couple of servers right and they use a whole lot of other tools as well they mentioned step as d at sea and i figured mmm maybe there's graphite taught instagram that comes from maybe there are others as well so when I hadn't scraped all the words of this engineering blog cut the time for to make a dictionary attitudes and I read it the brute forcing and a couple of additional hits came out so there was not only graphite resolving to an internal IP address but also century and

censored instagram.com so basically there are already three domains that are resolving to internal IP addresses which to us seem to be a mistake now the question is okay it does not seem right but how can you exploit this public sub domain that is resolving to and an internal IP address in your done dot star range anyone want to hear your thoughts no basically my first idea was okay I'm a local network if I can claim this private IP address and then can convince my victim to visit this sub domain they are browsing to my web server I can impersonate Instagram what can you do with it first of all yeah you can serve them a backdoor or a login

page over HTTP channel and hope that they would log in it would work for for most people but not for everybody but I also in discover Tut's on the main top level domain instagram.com if you log in the session cookie that is being generated actually also gets the attribute domain equals instagram.com which basically tells the browser okay cookie you can send it to the top level domain but also to all the subdomains just go ahead and send it along so I tested this out and indeed google chrome acog Nicole incognito I first login in instagram.com I then browse to graphite instagram.com first request and indeed the session cookie is being added to this requests so this makes my case a

bit more interesting because if i can now impersonate graphite on instagram.com and make somebody who is logged in on instagram to visit this URL maybe maybe even in hidden iframe on some some website that i own i mean because I can steal their session cookie I can overtake their their account so that's indeed ID on the local network I must be on a local network as my victim which is a heavy prerequisite I claim the IP address i lure them to browse to this to this website and I steal their session cookie fortunately this was not heavy enough for facebook so they rejected they told me okay nice find we discussed this at great length but it's

not eligible for a bug bond trust pretty disappointing but this is the point where I gave up back in June but I should not have given up here or I should have done something differently anybody knows why anybody heard of instagrams million-dollar book yes okay so one of these three domains that I noticed since sun tzu instagram.com was resolving to a private IP address back in june then looked at 210 but in September apparently not found by me apparently it started resolving to a public IP address right intagram it's completely hosted on Amazon so it's an Amazon AVS IP address but this was effectively effectively the the weigh-in for the Instagram 1 million dollar bug

that was found by Wesley Weinberg Leslie's not here by any chance could be i'm pretty jealous of Ashley for this one so basically what he found this he could actually see the content of sensors of instagram.com looked like this this is coming from his blog and long story short there was a remote code execution vulnerability on this subdomain he overtook sunsuit instagram.com reported it only guts two thousand five hundred dollars which is small bounty for a remote code execution and then he went a bit further and went ahead and started to prove to Facebook that this bounty is not really enough so Leslie what he did was he stole an AVS key that was hosted on sensitive

instagram.com he used it to access some other AVS Keys which finally gave him access to everything related to Instagram really everything the ssl certificates the private keys for signing android applications iOS application source code really everything now i don't want to go into much detail too far but facebook did not like this part they like this parts yes they they they like this part they rewarded him for this part but they did not very much like this part so base me what did what happened is once he reported this and small note he also downloaded some of these things this is not not a good thing to do of course this triggered the CTO of Facebook alex

thomas to call Wesley's boss basically syn ACK the company where he is working for to say he was doing being unethical it was a big big mess in there was a lot of comments back and forth on reddit for example don't know who followed it I leave I leave it open to you to make up your mind whether this is a this was a good thing or not but point is this is also not correct from facebook i think if you get a remote code execution even if you think there's nothing it's a big big deal right so that was the first one no money gained bit of disappointment around around december when i read this

but ok up to next one one is next one is in the web category this is also an interesting one actually when i learned about while reading write-ups on hacker 1.com instagram profile allows you to enter a link link of your blog for example and it's being shown on your public profile page which is just instagram.com / and annual user name this is one of my many test accounts so i went ahead and i pointed this link to our swindled nut / instagram not a TM l and basically what happens is if you click it it will open in a new tab right so you click to open in new tab I what few people know but what all browsers do

is if a new tab is opened by clicking in the previous step the new tab gets a reference to the parent tab right it gets a reference and it can actually do something useful with this one of the things it can do is redirect the previous step stealthy so if you are just this is this was all the code being hosted on my my page window open or location replace redirect of the first step and you can it happening right here so the idea here is if i can if i put a page like this on my profile somebody clicks it I can actually redirect their previous step which was pointing at instagram.com i can redirect it to any page out like a

page that looks like instagram.com that also asked for credentials saying that you have been inactive for too long please reload in that's kind of an issue so I reported this to Facebook and it was valid but I was not the first one to find so there's a good blog post about this as well for those who are interested they told me okay it's a duplicate thank you for submitting so very close but not close enough I do like it's so next one was my first real success also in the web category and this was a web server directory enumeration so browsing to Instagram I'm from Belgium and I my native language it's Dutch and it's also like that on my

operating system so if I browse through instagram.com I get served a Dutch welcome page but just viewing a couple of Google hits I noticed that if you append an HL home language I think parameter equals en it would serve the same page in English like the translation option so nothing wrong with that I also notice that if i put point forward slash before it's it would still serve me the english welcome page she's a bit odd because the default is dutch for me but it's still working so basically this is still working which points to a pots traversal vulnerability so when I have to try to read out some other files et Cie password is a good

one to guess because it's its present on all Linux operating systems I used presented 00 trick in order to cut off the remainder of the path but unfortunately I got back and errors no idea what happens on their end maybe they detected the attack maybe they they don't have this file on their system who knows this didn't work so i was thinking okay i found a clue but i have not really validated this vulnerability yet so i have to go a step further and I deep dived into the documentation of jungle if you look if you read the engineering block of instagram instagram is being coated in in python and django so i looked up the

documentation and it has some references to translation files and there's also a path being exposed to so general conf local language code which is the e/m I was talking about I'll see messages Django to do so I figured okay if my input is being inserted here I could go up one directory and go back to see if i can actually indeed injecting this so when I hat dot slash local slash en and indeed I still got the english version landing page of instagram which confirmed the vulnerability because if i replace lock out with wrong it would serve me the Dutch one so indeed I have a vulnerability but I cannot read out any files even if I could the file that

is being read in the back ends its being parsed for translation files in the p.o format which I couldn't upload to Instagram so that's a that's a pity how did I exploit it is basically I downloaded a predictable file part list from the first DB projects such lots of a common directory names and I started fussing for dog / the guests in the directory total / locale and now so if the directory would exist I would get a hits 200 if not I would get a 404 and basically indeed I got forty two hits for directories so I could with this vulnerability start reading out directory names on instagrams production servers okay so I went and reported okay

I can I can read a lot of things on your production servers but Instagram Facebook came back to me and told me okay this issue does not qualify which was not fun to read because basically I had read access I could also start enumerate in all the home users that they have in in / home so I figured okay maybe this must be a mistake so I asked for some elaboration and they came back and they told me okay it was it wasn't the correct reply so here gives your five hundred dollars which was nice yes finally the happy kids okay a couple of vulnerabilities I found were also a combination of vulnerabilities in dissing spaces so this one year private

account shared pictures token entropy is actually combination of some vulnerabilities on the mobile application endpoints but also on the web endpoints so Instagram it's all about sharing off pictures so i went ahead and uploaded the picture one of my test accounts and i looked at the request and in this case the response that came back in engage of a successful uploads basically my picture gets a unique ID which is very long it's impossible to brute-force i tried and it also gets a code a unique code so the internal ID here is being used to reference the image internally the code is used for something else so it's a ton ton length of the ten characters and

basically this code is part of the unique link the permalink of this picture so if your browse to Instagram toothcomb /p from permalink / and then this code this this allows you to land on the picture now in my case I did is upload with a private accounts and in this case this permalink is not visible to anybody it's only visible to the private account so i was logged in my private account and if i browsed here i could see the picture that i uploaded but not publicly so as it's supposed to be now imagine that a private account owner wants to share his or her picture with someone who does not have Instagram there are a couple of people who don't

have Instagram so it's a valid you skate I think so instagram it has some functionality to generate is / but also change the access control around it so in the in a hand roid app you have you can select your picture and say copy share URL which which responds to the following get requests being made get a PIV one media the unique ID of my picture and I'm permalink and then it would respond with the permalink we actually already had so this is the permalink with with the token we already have but the big thing here is if the owner of the of the picture made this request the access control of this permalink was changed for now it becomes

visible to anybody even when you're not logged in the picture can be seen this got me thinking okay imagine I can imagine a couple of private account owners who have used this functionality to share URL switch with couple of their friends who don't have Instagram so the only thing that is withholding me from finding out about all these pictures is this token this code is 10 digit code which looks pretty random you have capitals you have digits of lower case you even have a dash here all right I started to investigate this a bit further and came to some conclusions first of all I went ahead son looked at the unique codes of some public accounts

which allow me to enumerate all of them and here I went ahead and took the founders of Instagram Kevin and Mike enumerated a lot a lot of their picture quotes and I started to notice a pattern in the seventh and eighth character so if you look closely the seventh character only differs between two options here G and capital A and eight character is really static and what's really interesting is that Instagram accounts also have a unique identifier and the one of Kevin and Mike they only differ by one so you see his his ID number one is ID number four it's obviously incremental and based on they have the same seventh and eighth character combinations so as an attacker

this is interesting because if I want to steal finally steal some pictures of some private accounts I want to learn about these two characters I just look up a user a public account user with an ID which is is closed and I could could know these these two characters so two out of ten are down basically which is not enough so I have to go a bit further as well and I implemented the monitor script because of a private account you can on their profile page see how many pictures they have posted up until now so I wrote a monitor trip to looks at this number and as soon as this increases so as soon as

a private account has posted another picture I also upload a picture with my attacker accounts but really quickly in as a script as a Python script and this was also this also gotten interesting results because the seventh and eighth character are based on the user identifier but the first six characters are based on time so if I really quickly also upload a picture you can see so this is these are the codes of my private accounts monitored the count my test account obviously and these are the ones with my public account generated by my monitor scripts you can see that the first four characters are the same so if i use the script to monitor and a

private accounts i can remove the dependency i can i can predict for the first four characters so we have the first 4 7th and 8th that only leaves for and this actually becomes route forcible because the alphabet is 64 characters its lowercase uppercase digits and dash and underscore 64 to the fort times to with because of the the seventh character having two options equals 32 33 million possibilities which you can brute force quite easily in a couple of days which with a dedicated wfs or intruder burp intruder so this actually becomes feasible and this also got accepted my facebook so they told me okay indeed interesting fine so they made a code a lot lot longer you'll see

in the next one because there's something peculiar about the get request that makes a private picture become publicly accessible via the permalink it's a get request why is this a problem sorry anybody can read that there's also that's also a problem but why is this in in this context I I'm looking for something else basically sir yes see certain deeds and basically this request is stateful it changes the access control of this permalink but for stateful request you should use posts if you not you should not use get and also see surfing isn't it in play here because what I noticed is this is request being made by the Instagram for android mobile application with a custom

user agent being set by the by the thick client and with the session cookie which also holds a reference to the platform on which this session cookie was generated in this case mobile for android iOS is too i think the web is for so that they also keep track of that and for post requests instagram would not allow this request to be replayed with a session cookie of our web web session but forgets request they would so this makes this eligible for Caesar how come if my victim is logged in on instagram.com and I can convince him or her to browse to this link with an identifier of one of their private pictures the permalink would become

publicly accessible without them knowing it without their consent that's need a valid assumption but there are some some more work to do because in order to make this exploitation work I need two more things first of all I need to find the unique identifier of a private picture of my victim which is not public information and also i need to find out this permalink which is has grown a bit as you can see so it's not done characters anymore it's 35 or something so it's it's not guessable anymore so this this also had to be to be taken into account and for this for these two prerequisites i use some other other minor vulnerabilities that leak actually

this info so to find out private account pictures IDs there was a vulnerability in an endpoint which only works when a private account is being tagged in a picture then this picture would be served via via the endpoint user tags the user ID and then feed so the response would contain some private image IDs and this request could also be made by an attacker account for a victim account right so the response would would still be there which is a typical authorization bypass flow next up how to find the permalink this was this one was actually even easier so this get requests if I am an attacker and I have this get request I could just

replace the identifier of my own picture with the private image ID and it would also respond so this is another vulnerability in this endpoint that also leads this this permalink so all combined I could I could leak or I could make private pictures become publicly accessible from from private accounts and this was also world at one thousand dollars okay six phoner ability if you're not sleeping yet yeah this one is also in the weapon mobile space and this one allowed me to enumerate email addresses basically enumerates accounts based on the email addresses so if you subscribe to to instagram you get an email to confirm your confirm confirm your email address but whether you click

or not your account you'll keep on working so i don't really understand why why this is the case but this is some functionality that exists so if you kick if you click the link you will browse to this URL confirm email and then some base64 encode that encoded parameter which if decoded decodes to the email address that you use Instagram pen test user is one of mine and okay I figure it's okay this is interesting maybe i can i can change his email address that didn't work but what did work is if you go to this link actually you first must authenticate as this account in order to confirm your email address now if I logged in as another account it

would tell me hmmm you have to login as this user link to this email address in order to confirm it you don't you cannot be logged in as another user in this case attacker you must be logged in as this user which is actually an Oracle for me right if I change the parameter to Mark Zuckerberg at facebook.com facebook will tell me no you have to login as the Mark Zuckerberg in order to confirm this email address so i can start I could start guessing email addresses and find out that counts linked to them which might not be a big issue for us but in countries where there is some censorship this is actually interesting for to do to be

able to link activists to Instagram accounts for for governments for example and why is this also in the mobile space basically same endpoint same problem okay so this also got awarded by Facebook 7th interesting to know if you have an Instagram account for those few who have if you lose your passwords and you don't have a link email address you lose your account basically stated if you can give access if you can't exit the email you registered with and you didn't think your Instagram account of Facebook we're not able to give you access to this account so you lose it that was the inspiration of this vulnerability because if you want to change your passwords it requires you

your old password to be interred entered which is good practice but if you change your email address it does not ask you for your current password although password reset functionality based on the email address can also yield you access to the to the account so this doesn't seem right but instagram has a countermeasure for this so if i change the email address of this account to instagram distinct to add lots of these email lists if you change it a new mail is being sent to instagram but the stink too but also a mail is being sent to the alt email address say ha somebody changed your email address if it wasn't you click here and you can secure secure

your account again and indeed if you click there you can run through a couple of pages and you can reclaim your account change your password so that's basically instagrams protection against this she's pretty hot i would just require the old password to be answered but this is also an option problem here is if an attacker changes the email address not once but twice he would also get a link to reclaim his accounts and this was the issue here the link would still work right so the attacker has two email addresses and this attack supposes or the prerequisite is here that an attacker would get temporary access to an Instagram account for example a mobile phone that's is being left on the

table during a toilet visits you change the email address twice and then you end up in the following following situation the victim has one reclaim link but the attacker also has one on the second email address hehe so the attacker would go ahead and reset the password of the account reclaim the account gets gets access to the accounts the victim would use his or her reclaim link to get over take access again and this is where the problem is this link although being generated after this one would still work finally the attacker can again reclaim the account there's no way for the victim to to get it back the email at email address is gone the password

has been changed so game over this one I was also awarded with two thousand dollars so this was a generous award thanks

up next is the easiest one and also the highest highest bounty that I've earned it's actually about an end point that was that I found with my with my script that decompile told AAP kaise and compared to end points in version 6 21 a new endpoint appeared discover /s you refill which I couldn't trigger by just using the mobile app so it was never used by the tick line at the time and I've never been seen it being used it has actually been removed again but at the time it was actually responding to requests so I try to forge a request but response would just say that you're missing a couple of parameters we cannot

process your request so when I had Anna looked up where this string was in the decompiled java and it gave me a couple of hints of parameters that i should should give along so that's what i did i logged in as an as a public account at one of my test accounts and i feed it the endpoint a target ID of a private test account of mine right no relationship between these accounts or nothing should be shown but actually what was shown were the user that this private account was following at a time now I'm a fan of Bruce Springsteen so indeed my test account was following Bruce Prince Bruce Springsteen and a nice part here is okay not only the name

is being leaked but also a couple of links to pictures of Bruce Springsteen are in the response Bruce Springsteen is a public accounts but I also figured hmm if this private account is following other private accounts maybe I can also get access to private pictures which was unfortunately not the case so the arrays were empty for private accounts but still like I could find out the which losers apprised the cantos following which is is not allowed so unfortunately not this one but still a nice and generous of art of two thousand five hundred dollars for five minutes of work so that was that was also nice now last but not least is my last one

actually also a quite interesting one because this one allowed me to directly steal money from Instagram now on Instagram you can link your account to a mobile phone number right you enter the phone number they send you a text you need to enter the codes that they sent you six digits if you don't enter the codes will call you in three minutes so Instagram actually what's going to call me I entered my phone and effectively they started calling me from California in Belgium so indeed I got I got some calls I cannot let you hear it right now but it was basically saying your code for I and STI Graham is 623 12 1 and I

figured okay I have the ability to let them call me let's register a premium number and see if they call that why not it might even work so i had to find a premium number honestly this was not this was not easy to do to find reliable premium premium numbers as i looked on the internet i looked for three hours i guess just to find myself a couple of premium members that worked finally ended up on your call 24 dots gone which allows you to register a lot of premium numbers and allowed me to have a couple of tries and try it 10 ish numbers or so but didn't get any response so almost gave up until i actually used a number

in the united kingdom and i actually saw the live call coming in from instagram to my premium member accounts right so at this time instagram was directly giving me money but it got a bit better because I could replay the second disc all I could replay the lot so the only protection that there was was protection on the end point so I had to wait for 30 seconds but I could I could just start to looping so I started looping with a throttle of 30 seconds in between and as a proof of concept I called 60 times my number was generating only a bit of money but by calling 60 times I have earned one found in in half an hour for

free so okay I when I haven't reported this and then the reaction of Facebook game I'll eat it out loud this is intentional behavior in our products I'll repeat this is intentional behavior in our products oh so first I was disappointed I said okay what's that but then it came to me this is intentional behavior am I really allowed to do this so I I was I had a moral dilemma here right I had a black on white it was allowed but i decided to elaborate a bit and tell them okay if I do this with one account indeed I have a threshold of 30 seconds and i can only steal one thousand dollars a month but i can

happily make 100 accounts and make them all sense rukh us to the same premium number because that's that's all allowed and I could really earn a lot of money and they came around so they basically said unfortunately of course but they came around and he told me okay we'll do some some fine-tuning of our age limitation and and add some some more protection and they gave me two thousand dollars so that's it a small overview 9 hull Nura bilities in total $10,000 almost sent on $10,000 was earned plus one because I get to use it get to keep the pound and small note I gave me four of my bounties to a non-profit and Facebook does match dat bounty so

basically thanks it went to a went to nonprofits for street in street children in Ethiopia so they have a lot of they have more benefit from of it on me so that's it some more advice if you want to get into burbank to yourself if you're hunting keep calm and try harder if you're reporting be patient and when you were disclosing things be responsible because I have some other outstanding vulnerabilities who have not been fixed yet and these will only be disclosed when when they have been fixed so keep an eye on my blog and thank you for your attention

you