Hacking Instagram Accounts With Computer Science

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so there's a hack on Instagram that's making people lose access to their accounts and I've been spending the last couple days trying to replicate it and it works I now able to get access to Millions if not trillions of accounts um but obviously I don't want to so instead I'm making this video in this video we're going to be talking about how these hackers are doing it with coding how the hack Works how Instagram can fix this and how you can stop getting ha all right so here's how the hack works these are screenshots from my friend that actually got hacked last week and lost her account but she got her account back and everything so it's all good it starts off with one hacked account and they message one of their close followers or you know friends on Instagram and they say something like I was trying to log into my Instagram page on my new phone phone and they asked me to find someone to help me receive a code Instagram gave me suggestions from two friends and you are one of them the other person is not online would you help me receive the code please and so they do some hacking with Instagram which we're going to see which makes Instagram send a reset password link via text message to the victim and so then the hacker says please screenshot and send it to me don't click on it when you receive the thanks and honestly it looks pretty chill so yeah my friend sent it this is what the text message looks like and it's mad vulnerable because it's the reset password link for the victim not the hacker once the hacker gets this link they can type it into their browser and reset the password of the victim's account and gain access to the victim's account and then with access they can do the same thing to their followers and then hack more accounts the reason why this works is because one the message comes from your friend's account two the reset password link is from Instagram's official number and three you pretty much trust that Instagram wouldn't let your own account be hacked by a link that they sent you and also if this hack gets traced back to an account that sent these messages then that account can just claim that they got hacked too or they were hacked so it wasn't them sending the messages and yeah that's just how the hack works okay so now let's try to do the same thing so check me out right all we know is the user's username and we have to somehow give this to Instagram and make make Instagram send a reset password via text message to the victim then the victim will send a screenshot of the text message to the hacker and get [Music] hacked okay so first let's just try to do forgot password on the Instagram website so let's send the login link and we see here that it sends it via email and if we check the email we see this reset password and email is fine because there's no link that you can screenshot if you see here it's hidden behind this button and so if you click this button it's going to go to the same link that's sent via text but it's not as vulnerable because you can't screenshot it and send it to the hacker so yeah in this case Instagram isn't that bad not bad my suck buger not bad oh so now we're going to have to see how Instagram processes our requests to them then once we see how they process our request maybe we can change the request up so that it forces Instagram to send the reset password via text instead of email okay so the way we're going to be doing this is through something called a proxy and here I drew another picture for you guys and so our computer is sending information to Instagram right but if we put a proxy here it's going to be in the middle of our computer and Instagram so we can read the messages being sent back and forth and so we can even change that information so what we're looking for is pretty much our computer is going to be sending like yo I need you to send a reset password link to this username you know I used my tester _ sg9 and I'm looking for like a field in that request that says email true or false or maybe text message true or false so that we can choose if Instagram is going to be sending it via email or text so yeah let's try it out okay so we're back on Google Chrome and here we're just using this thing called a network monitor that lets us see the request going back and forth okay so let's send the request to reset our password and we see here on the network monitor that a request went out that says account recovery send Ajax and yeah this is the request from our computer telling Instagram that we need the reset password and so here we go over to payload which is like the information that we're sending and here it says email or username tester SG 99 and that makes sense because that's the username that we're using but we don't see here any option to do text message or anything like that on the Instagram forgot password we see that it actually has an option for us to give us the phone number so let's see how that works it sends the reset password link via text message which is vulnerable and on the network monitor we also see again it sends a request to Instagram account recovery send Ajax but instead of the username the field is the number and this is cool and all but but the problem is that we don't know the phone number all we know is the username so we can't input or send Instagram this phone number for it to work because we just don't know what it is and yeah so then we can try it on our phone via our IOS app but the problem is that it's the same exact thing it defaults to sending the email reset password which is not vulnerable instead of the text message which is vulnerable okay so at this point I was just grinding looking at the network traffic but honestly it was not looking good uh I pretty much almost gave up on this I thought the hackers were too good um I went to the beach which is pretty cool I also brought together the smartest Minds at CMU to help me think about this problem and honestly they didn't even try to help me but it's all good I went on YouTube and I found this video so I have write the phone number on my Instagram find session so tape on next and yo on an old Android version of Instagram they let you decide whether to send the reset password via email or SMS and this is exactly what we need if we can just look at how the Android app is sending the request to Instagram with this field deciding SMS or email then we pretty much have the [Music] hack okay so I started up a virtual machine which which just means I have a simulated Android phone on my computer um people usually do this so they can run Android apps on their MacBook or something uh this is me playing Subway Surfers hey look at me go and so yeah we can download an old version of Instagram and take a look first let's just try it out with the username for some reason the text is all garbled and I actually have no idea why but it's whatever and yeah here we see that there's options for sending an email sending a text message or doing Facebook so we'll select SMS and here we have a text message from Instagram saying that you know we can reset the password in plain text okay so now the same thing let's start off a proxy server and listen to the traffic and yeah actually it doesn't work now and so after doing some research online I found that Instagram actually blocks proxy servers on their Android apps so that you can't listen on on the network traffic and so yeah this is just another roadblock uh this just means that we have to do more reverse engineering and so what I'm thinking is that all these apps or like any program in general is just at the very core of it is just a list of computer instructions so there's one computer instruction in the Instagram app that says if this person is using a proxy then block the traffic so what we can do is change this instruction to say if it's a if the person is using a proxy then just let it through and so yeah let's try that out and actually good news is that people have done this before and wrote an article online so let's take a look at it and yo you know coding article is about to be hella good and written by some kind of weird hella smart person when they write bingo with an exclamation mark in [Music] it okay so first we have the binary code which is what the machine reads and you know humans can't read this so we have to change it back into assembly and then source code and the source code is human readable so then once we have the source code we're going to find exactly which line is blocking us but we can't just change the source code here because it's not a perfect translation with the binary but instead we're going to have to look into the assembly code which is a direct translation and change it there in this case it's just changing a jump instruction into a not jump instruction and so now we can rerun this patched version and it won't block us and now we're so close when we click this button we're going to have the request that gets sent to Instagram that makes them send a text message so let's click it we see that it worked and we got the text message and uh bingo and so here we were able to find the exact request that's needed for this hack it's I . instagram.com apiv1 users lookup phone HTTP 2.0 and we can double check that this is all we need by hitting replay which is going to resend this request and seeing if we get another text message which I did but now we don't only want this to work for one username we want it to work for any username so how we can do this is first copy the request and put it into a new python file then we can find the specific username we used and replace it with the variable that we input before sending the request this is going to allow us to put in any username and then Instagram will send the reset password link to their number so when we try it and put in a different account we see that it sends the request off and says success and we get the reset link on our phone and that's actually kind of cool okay yeah so now potentially I could get half of my school like I don't know Instagram accounts because honestly I would fall for if my friend sent me a text message or like asking for a screenshot I'd probably send it if I didn't research this before but that's hella dumb and I think this shouldn't happen and Instagram should fix this and so I think what Instagram should do is well one disable the SMS reset password thing because I don't think you can send a text message link without it being screenshot in plain text and also they need to rep patch their API which is what we're using to send the request to and honestly Instagram if you're watching this I could do this for you I'm pretty sure coinbase is about to lay me off any second now so yeah hit me up oh yeah and how you cannot get hacked is um IID say just like don't send screenshots of reset passwords um but honestly I would fall for it too like I said so um I don't know now you know and it's actually pretty common that hacks work like this I think it's like 95% of all cyber security hacks are from user error and yeah this video is for educational purposes only um Instagram actually already took down one of my videos so like I'm kind of tweaking about it like I'm risking it all on this one kind of but yeah if you wanted to learn this stuff it's like Computer Engineering computer systems slcs so I would say just like look into that I think it's it's pretty cool and yeah that's about it subscribe for more hit me up on Instagram it's @@ not n hopefully doesn't get hacked but yeah that's about [Music] it B new L image just like the villain

Info

Channel: nang

Views: 561,924

Rating: undefined out of 5

Keywords:

Id: Iur1cDMxBBQ

Channel Id: undefined

Length: 12min 40sec (760 seconds)

Published: Tue Jun 28 2022