Contents

  1. history

5.3.2 Instagram

We found that Instagram was vulnerable to the Trojan Identifier Attack.

Trojan Identifier Attack (Alternative identifier variant).

In Instagram, identifier verification is mandatory when creating an account. 

Nevertheless, an attacker could create an account 
using the attacker’s phone number, and associate
the victim’s email address to the created account.

This would cause a verification email to be sent to the victim’s email address. 
However, based on our assumptions in Table 1, some victims might ignore this email. 

When the victim subsequently tried to create an account using their email address,
they would find that an account already exists (and might
misinterpret this as e.g., being related to the acquisition of Instagram by Facebook, 
if they already have a Facebook account with the same email address). 

The victim might recover the account and start using it.

The attacker would then be able to sign into the account by requesting a one-time sign-in
link to be sent to the attacker’s phone number.

However, the attack can be thwarted if the victim notices and removes the
attacker’s phone number from the account.

As Instagram is a social network and an IdP, a successful
attacker would be able to access photos and videos shared
by the victim and members of their network, and sign in to
other services where the victim uses Instagram as an IdP. 

The attacker would also be able to read the chats of the victim
and impersonate the victim. When we responsibly disclosed
our findings to Instagram in July 2021, they noted that their
identifier verification emails include a link to report suspicious
sign ups. However, it is unclear how many victims would
take action in this situation, as previous studies (e.g., [2])
have shown user-initiated security decisions to be ineffective.
Additionally, Instagram also noted that it is the responsibility
of the users to look for Trojan identifiers in their profile.

1. history


CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking/5/5.3.2 (last edited 2022-05-31 07:14:55 by ToshinoriMaeno)