How to hack instagram account 2024?

What should I do if I forget my password? Of course, it is to reset the password. However, even such a common operation also has security risks.

Recently, a white hat hacker, Laxman Muthiyah, discovered that users may be hacked when they reset their Instagram account password. Facebook acknowledged the vulnerability and rewarded the white hat $10,000.

So what exactly does this vulnerability look like? Let’s take a look!

White hat hackers demonstrate how to crack

White hat hackers discovered that Instagram randomly generates numbers for each device when a user issues a password reset request.

The device number is a 6-digit random string generated by the Instagram application and a unique identifier for the Instagram server to verify the password reset code. This ID can also be used to check the validity of the code.

When a user requests a password using a mobile device, the device ID is sent with the request.

Instagram allows the use of the same device ID to request codes for multiple user accounts, which also allows attackers to perform brute force attacks to obtain device IDs.

For a 6-digit password (000001 to 999999), there are a million combinations.

For example, requesting the passwords of 100,000 users using the same device ID would result in a 10% success rate because 100k codes would be posted to the same device ID. If passwords are requested for 1 million users, all 1 million accounts can be easily hacked by incrementing the passwords one by one.

verify password:

POST /api/v1/accounts/account_recovery_code_verify/HTTP/1.1
User-Agent: Instagram 92.0.0.11.114 Android (27/8.1.0; 440dpi; 1080×2150; Xiaomi/Xiaomi; Redmi Note 6 Pro; Tulip; QCOM; en_IN; 152830654)
Accept-Language: en-IN, en-US
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Host: i.instagram.com
Connect: Stay Alive
reecover_code = 123456 & DEVICE_ID = device ID

Generally, users choose to reset their passwords in order to avoid risks. However, the warning brought by this incident is that well-known security may not necessarily be truly safe. Risks are everywhere, and you must always be careful when surfing the Internet.