How to Hack Someone's Instagram Account

How to Hack Someone's Instagram Account
Content List

How I Managed to Hack Instagram Once More

I discovered a vulnerability on Instagram that allows anyone to take control of other people's Instagram accounts without their permission. This article is about vulnerability. As part of their bounty program, the Facebook and Instagram security teams were able to resolve the issue and compensate me with $10000.

My article on the Instagram account takeover vulnerability was published last month, and I demonstrated how I was able to hack any Instagram account in under 10 minutes. This is also a similar vulnerability, albeit one with a lower level of severity.

How to Hack Someone's Instagram Account

How to Hack Someone's Instagram Account


This is the same device ID that I mentioned in my previous post, and it is the unique identifier that is used by the Instagram server to validate password reset codes. In the event that a user requests a passcode from his or her mobile device, the request is accompanied by the device ID for that device. The same device ID is used to verify the passcode a second time as well.

Verify passcode

POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1

User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)

Accept-Language: en-IN, en-US

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate

Host: i.instagram.com

Connection: keep-alive

recover_code=123456&device_id=device-id

Instagram's application generates a random string for each device it encounters. After all, what does it matter if the same device ID is used to request passcodes for multiple Instagram accounts at the same time? I looked into it further and discovered that the same device ID can be used to request multiple passcodes from multiple users.

What exactly is the hack?

A six-digit passcode has a one-in-a-million chance of being cracked (000001 to 999999). When we ask for the passcodes of multiple users, we increase the likelihood of accounts being accessed and compromised. For example, if you request the passcode of 100 thousand users using the same device ID, you can expect a 10 percent success rate because 100 thousand codes are issued to the same device ID in this case. In the event that we were to request passcodes for one million users, we would be able to hack all one million accounts with relative ease simply by incrementing the passcode one by one after that.

Therefore, in order to complete the attack with a 100 percent success rate, an attacker must request codes from 1 million different users. We should also take note of the code's 10-minute expiration time limit, which means the entire attack should be completed within 10 minutes.

The Facebook security team has now resolved the issue, and we are no longer able to hack Instagram accounts using this vulnerability.

Following the application of the patch

How I Managed to Hack Instagram Once More


I'd like to express my gratitude to the Facebook security team for rewarding me through their bug bounty program. Please share your thoughts in the comments section.

How I could have hacked into any Instagram account is unknown to me.

Specifically, this article describes how I discovered a vulnerability on Instagram that allowed me to hack into any Instagram account without the user's consent. As part of their bounty program, the Facebook and Instagram security teams were able to resolve the issue and compensate me with $30000.

Facebook is constantly working to improve the security controls that are in place across all of its platforms. As a result, they recently increased the payouts for all critical vulnerabilities, including account takeovers, as part of their ongoing efforts. As a result, I decided to try my luck on social media platforms such as Facebook and Instagram. I was fortunate in that I was able to locate one on Instagram.

When I was looking for an account takeover vulnerability, the first thing that came to mind was the Instagram forgot password endpoint, which I discovered by accident. Instagram's web interface was down, so I attempted to reset my password there. They have a link-based password reset mechanism that is fairly robust, and after only a few minutes of testing, I was unable to identify any bugs in it.

Then I moved on to their mobile recovery flow, where I was successful in identifying a vulnerable behavior. Users will receive a six-digit passcode to their mobile number if they enter their mobile number during the registration process. They must enter this information in order to change their password. If we are successful in trying all one million codes on the verify-code endpoint, we will be able to change the password of any account. However, this is unlikely to be the case. But I was fairly certain that there had to be some sort of rate-limiting in place to protect against such brute-force attacks. I made the decision to put it to the test.

My tests did reveal the presence of rate-limiting, as expected. I sent approximately 1000 requests, 250 of which were accepted, and the remaining 750 requests were rejected due to rate limitations. I tried another 1000, and now many of them are being throttled. As a result, their systems are validating and rate-limiting the requests in the correct manner.

The number of requests and the lack of blacklisting was two things that came to mind when thinking about this. Despite the fact that the number of requests I can send in a fraction of the time is limited, I was able to send requests in a continuous stream without being blocked.

My continuous testing for a few days yielded the following results: I discovered two things that allowed me to circumvent their rate-limiting mechanism.

Race Hazard IP rotation is a hazard in a race.

For those who are unfamiliar with the race condition, you can learn more about it here. Sending concurrent requests from multiple IP addresses allowed me to send a large number of requests without running into a capacity limit. The number of requests we can send is dependent on the number of requests being sent at the same time and the number of IP addresses we are using. Also, I discovered that the code expires in 10 minutes, which makes the attack even more difficult, necessitating the use of 1000s of IP addresses to carry out the attack.

I notified the Facebook security team about the vulnerability, but they were unable to reproduce it at first due to a lack of information in my report. It only took a few emails and convincing proof of concept video for me to persuade them that the attack was feasible.

Demonstration of concept:

A passcode is being requested.

Verify passcode

POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1

User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)

Accept-Language: en-IN, en-US

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate

Host: i.instagram.com

Connection: keep-alive

recover_code=123456&device_id=device-id

The victim will receive a passcode and it will expire in 10 minutes.

Verify passcode

POST /api/v1/accounts/account_recovery_code_verify/ HTTP/1.1

User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/xiaomi; Redmi Note 6 Pro; tulip; qcom; en_IN; 152830654)

Accept-Language: en-IN, en-US

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate

Host: i.instagram.com

Connection: keep-alive

recover_code=123456&device_id=android-device-id-here

Instagram's application generates a random string for each device it encounters. After all, what does it matter if the same device ID is used to request passcodes for multiple Instagram accounts at the same time? I looked into it further and discovered that the same device ID can be used to request multiple passcodes from multiple users.

What exactly is the hack?

A six-digit passcode has a one-in-a-million chance of being cracked (000001 to 999999). When we ask for the passcodes of multiple users, we increase the likelihood of accounts being accessed and compromised. For example, if you request the passcode of 100 thousand users using the same device ID, you can expect a 10 percent success rate because 100 thousand codes are issued to the same device ID in this case. In the event that we were to request passcodes for one million users, we would be able to hack all one million accounts with relative ease simply by incrementing the passcode one by one after that.

Therefore, in order to complete the attack with a 100 percent success rate, an attacker must request codes from 1 million different users. We should also take note of the code's 10-minute expiration time limit, which means the entire attack should be completed within 10 minutes.

The Facebook security team has now resolved the issue, and we are no longer able to hack Instagram accounts using this vulnerability.

We'll need to use multiple IP addresses to brute force this endpoint at this point. I was able to send approximately 200 requests from a single IP address before hitting the rate limit.

When I ran my tests, I used 1000 different machines (to make it easier to achieve concurrency) and IP addresses to send 200k requests (which is 20 percent of the total one million probability).

I'm sending out 200 thousand requests.


In a real-world attack scenario, an attacker would require 5000 IP addresses in order to hack into a user's account. Although it appears to be a difficult task, using a cloud service provider such as Amazon or Google makes it simple. It would cost approximately 150 dollars to carry out the entire attack on one million different codes.

After showing the above video to the Facebook security team, they were persuaded that 200k valid requests had been sent. They were also very prompt in addressing and resolving the problem.

Methods of hacking into someone's Instagram account, as well as prevention measures

Instagram, which has more than 1 billion active users, is the second most popular social networking website after Facebook, according to Statista. Thus, it should come as no surprise that the phrase "hack Instagram" is a frequently searched keyword on the internet. A plethora of online websites and Android / iPhone apps claim to be able to hack into someone's Instagram account, but none of the password hackers are capable of completing the task for you at this time.

Do you have any idea why?

Because Instagram (which is owned by Facebook) is concerned about security. This is because they do not want their users to be subjected to such hacks. However, we continue to see instances of people having their Instagram accounts hacked, which is primarily due to social engineering attacks such as phishing, and not due to Instagram password hackers that are readily available online. Consequently, avoid becoming a victim of those downloadable applications and websites.

Before you inquire as to who I am and why I am discussing Instagram hacking, allow me to inform you that I hacked into Instagram and was awarded a $30,000 reward for my discovery. You can find out more about it here.

All of the techniques that can be used to hack into someone's Instagram account, as well as their respective prevention methods, will be laid out for us in this section.

Please keep in mind that the purpose of this article is to educate people on how Instagram hacking works and how they can prevent such hacks from occurring. As a result, refrain from employing these techniques for malicious purposes.

The use of remote keyloggers/spyware is one example.

An example of remote keylogger software (also known as spyware) is a piece of software that records everything you type on your mobile phone or computer and sends it to the person who installed it. It is therefore very easy to spy on the passwords, credit card details, and other sensitive information you enter on your mobile device or computer.

Root access is required by the majority of operating systems (including Android and iOS) before any app can record sensitive information. As a result, rooting or jailbreaking your phone is not a good idea when it comes to security.

Cell phone spyware is a very useful piece of software for parents who want to keep an eye on their children's mobile activities. There are hundreds of spyware mobile apps and remote keyloggers available for download on the internet, both free and paid. For more information, you can look it up on the internet.

Unless the device has been rooted, all key loggers require physical access in order to be installed.

What can you do to keep yourself safe from mobile keyloggers?

Never root your mobile device without first consulting a professional. Rooting your device makes it more vulnerable.

Install any anti- spy app lication to help you identify malicious software that is attempting to access your inputs.

If you don't completely trust the publisher, don't use third-party keypad applications.

Phishing (also known as spear phishing)

Phishing is a very effective technique used by hackers to gain access to a user's account password. It consists of the creation of a duplicate copy of a website's login page with the intent of stealing a user's password. In the event that a common user comes across such a page, he or she may enter their username and password thinking that it is a legitimate login page, resulting in their account being hacked.

An example of an Instagram web-based phishing page

Take a look at the image above; you might not have noticed a discrepancy in the URL (https://www.instagram.com), but there is one there! The spelling of the domain name, the use of the dot com, and the forward-slash are all important pieces of information to keep in mind whenever you come across a login page. There should be no change to the URL of a legitimate Instagram account, which should be https://www.instagram.com/. If you notice any changes, it is likely that you are viewing a phishing page.

Because Instagram is a mobile application, we rarely use its web-based login, making phishing a difficult method of obtaining an Instagram password.

Because everyone is aware that a Facebook account is all that is required to get started with Instagram, hacking someone's Facebook account's password will result in Instagram hacking as well. Therefore, phishing your Facebook account password results in the hacking of your Instagram account.

Creating a phishing page isn't rocket science, but it does take some time. Thousands of websites offer direct downloads of phishing pages, which can be exploited by hackers. Anyone with a basic understanding of programming languages such as PHP or HTML can create a phishing page in no time. As a result, be wary of phishing pages.

3. Password grabbing in its most basic form

This is one of the most commonly used methods by hackers to gain access to Instagram users' accounts. We have a bad habit of using the same password for all of the websites that we visit on a regular basis. This is referred to as a bad habit because not all websites are built and secured in the same way. It's possible that Facebook.com has more security measures in place than shoddy xyz.com. Therefore, a hacker who gains access to poor xyz.com's database will be able to easily hack into your Instagram account.

Before storing a password in a database, it is always recommended that it be hashed. Nevertheless, many small and medium-sized website owners store passwords in plain text, making it simple for a hacker to steal your entire password from a compromised website.

How can you protect yourself from being hacked into your passwords?

Never use the same password for multiple websites, such as Google, Facebook, Instagram, and other social media platforms.

Have two different types of passwords.

Creating a strong password for important websites is essential.

For other unimportant websites, this is a common and easy password to remember. As a result, you won't have to remember multiple passwords anymore.

Weak Passwords are number four.

Hacking an Instagram account is possible through social engineering, which involves guessing the password. Having a strong password makes it difficult to accomplish this task.

What criteria do we use to determine whether a password is weak?

It is considered a weak password any password that is easily guessable by a third party or by someone you know. The following are some examples of weak passwords that are commonly used.

The conjunction of a mobile number and a nickname / a name and a date of birth

Phone Numbers of Boy and Girl Friends – The majority of lovers have their partners' mobile phone numbers.

Name of the Girl's / Boy's Friend – The majority of the lovers have the same name.

Name Combination for a Boy or a Girl Friend

No longer in use bike number or old mobile number

Name of the pet Name of the person who is closest to the pet (can be friends too)

To avoid being identified with any of the passwords listed above, you should change your password immediately. Weak passwords are not limited to the ones on this list, either. Any password that is easily guessable should be avoided.

Always use two different passwords, as I previously stated. A strong password for important websites/apps and a common weak password for insignificant websites/apps are recommended by security experts.

5. Vulnerabilities in the Mobile Operating System

Android and iOS are the dominant mobile operating systems, and as a result, vulnerabilities affecting the Android and iOS operating systems can ultimately lead to the hacking of your mobile device, of which Instagram is only a part. These vulnerabilities are frequently addressed through the use of zero-day exploits. Due to the fact that we have no control over the situation, there is nothing we can do to prevent these vulnerabilities.

There are a few things you can do to safeguard yourself.

When a new version of your operating system becomes available, always upgrade. System upgrades include critical security patches, and as a result, they must be performed.

Don't ignore minor security updates from your mobile device's manufacturer.

Installing apps from unknown sources is never a good idea.

Install apps only from app store publishers who are well-known and reputable.

6. Instagram is prone to zero-day exploits.

Last but not least, Instagram has flaws that need to be addressed. A zero-day vulnerability is a vulnerability in software that is unknown to the software vendor, for example, Instagram. In order to hack into Instagram accounts, black hat hackers look for flaws in the platform's code.

When the vendor's own security is compromised, we as commoners are powerless to prevent it. All we can do is enable some fundamental security measures, such as two-factor authentication, on our systems. Instagram is extremely secure because it participates in a bug bounty program in which all whitehat hackers are encouraged to identify and report security vulnerabilities.