-----------------=======[ In The Name Of God ! ]=======-----------------
[+] Instagram - Open Redirect Vulnerability
[+] Date: Wed Feb 8 2017
[+] Remote: Yes
[+] Risk: Low
[+] Author: Senior Motezad
[+] Contact: firstname.lastname@example.org
[+] Tested on: Linux ( Ubuntu 16.04 ) => Mozilla Firefox V51.0.1 (32bit)
[+] Exploit : http://l.instagram.com/?e=ATPnhFvGMbQ5D__yDeeIpgsA9IBvE7s4gPRGzNIkWbCMbKuNksNY3rcEMAUIJpeuoK0MhSA&u=[ Open Redirect Vul ]
| Description |
#What is Instagram ?
Instagram is an online mobile photo-sharing site that allows its users to share pictures and videos either publicly or privately on the app, as well as through a variety of other social networking platforms, such as Facebook, Twitter, Tumblr, and Flickr.
Instagram was created by Kevin Systrom and Mike Krieger, and launched in October 2010 as a free mobile app. The service rapidly gained popularity, with over 100 million active users as of April 2012 and over 300 million as of December 2014. Instagram is distributed through the Apple App Store and Google Play. Support for the app is available for iPhone, iPad, iPod Touch, Windows 10 devices and Android handsets, while third-party Instagram apps are available for BlackBerry 10 and Nokia-Symbian Devices.
#What is Open Redirect Vulnerability?
Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs.
When apps and web pages have requests for URLs, they are supposed to verify that those URLs are part of the intended page’s domain. Open redirect is a failure in that process that makes it possible for attackers to steer users to malicious third-party websites. Sites or apps that fail to authenticate URLs can become a vector for malicious redirects to convincing fake sites for identity theft or sites that install malware.
Normally, redirection is a technique for shifting users to a different web page than the URL they requested. Webmasters use redirection for valid reasons, such as dealing with resources that are no longer available or have been moved to a different location. Web users often encounter redirection when they visit the Web site of a company whose name has been changed or which has been acquired by another company.
| Proof Of Concept |
when you put the website address in instagram account and save it , you can visit victim's profile and use inspect element to see the link of redirection.
this link have 2 parameters (?e=[Its Unknown String but it must exist to redirect ! ]&u=[your website address])
done ! you can change parameter "u=[your website address]" and enjoy !
good luck ;)
| FriendS |
black hawk - back mind - Black intell - backwolf_iran - dash javad