How I Could Steal Money from Instagram, Google and Microsoft

in #security8 years ago (edited)

Google

A security researcher found vulnerabilities in Instagram, Google, and Microsoft enabling him to drain money from the companies. Here's how he did it.

Instagram: Link Account to Premium Number

Instagram supports linking a mobile phone number to an account, which allows other users to look them up in Instagram’s global address book. After entering the mobile phone number, Instagram sends a text with the 6-digit token:

Img

However, if one does not enter the code within three minutes on the following screen, Instagram will call from California:

Img
Img

This call would last around 17 seconds. The underlying request who causes this is the one outlined below in burp repeater:

The request to https://i.instagram.com/api/v1/accounts/robocall_user/ could only be replayed once every 30 seconds due to rate limiting. However, it was also noticed that Instagram would happily call any number that was supplied to them, such as a premium number of 0.06 GBP/minute in the UK registered via eurocall24.com:

Read the full post here, including details of Google and Microsoft attacks:

https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/

#money
8 years ago in #security by
$0.00
    11 votes
    Reply 0

    Coin Marketplace

    STEEM 0.26
    TRX 0.20
    JST 0.038
    BTC 95558.45
    ETH 3626.15
    USDT 1.00
    SBD 3.80