How I was able to remove your Instagram Phone number

Phone numbers are the most important Out-of-band features in network and security, now a days from phone number we register, login for an account.

Instagram have feature to login, sign up through mobile number, and after signing up instagram through mobile number we have to verify that we are real person, through OTP (One Time Password) sent to that mobile number.

But while searching for vulnerability in Instagram, I found that verifying OTP endpoint have no limit, it means we can brute-force the 6 digit code sent to mobile number.

Other thing is that even if your mobile number is registered with instagram then also you are able to reuse that mobile number again on registration page.

While bruteforcing OTP responses I got are:

Response when OTP is wrong:

{“status”: “ok”, “error_type”: “form_validation_error”, “errors”: {“sms_code”: [“That code is no longer valid. Go back to request a new one.”]}, “account_created”: false}

Response when OTP is correct.:

{“status”: “ok”, “account_created”: true}

As you can see in the above screenshot that, 636 requests were made by me and no lockout is there.

Finally, I bruteforced the OTP successfully and was able to create account from that mobile number.

When I logged out from that test account, and signed in on my real Instagram account(initially registered with that mobile number from which I have created test account).

And got this page after logging in

From above photo we can confirm that the mobile number has been removed from my Instagram account.

Here is the POC video:

Timeline:

8 November 2016: Report Submitted
16 November 2016: Facebook response that not able to reproduce the issue
18 November 2016: POC video provided by me.
19 November 2016: Again Not accepted
19 November 2016: Again provided POC video with time and date
19 November 2016: Issue triaged
27 December 2016: Issue Patched
29 December 2016: $1000 bounty awarded.

Thanks
Regards
Neeraj Edwards