Instagram Account Takeover / Reset Password Exploit Service

[minecraftold]

Спойлер: Закрыто на депозит | Closed for deposit

Hello guys I'm officialy starting a new service about Instagram Reset password / Account Takeover. I have experience with binary exploitation and buffer overflows for years.



Recently I found by myself an instagram exploit that i can bypass the token by decoding a specific base64 algorithm with the help of sqli database browser.


The service is new and success rate is 80% - 90%.

Services Are:
50€= Send you a picture of the private messages of the specific account by following your guidance about what to do exactly.
100€= Ban the account.
150€= You guide me to Upload specific photos , send particular messages so you can avoid permanent IP ban / break policy laws.
200€= Full account takeover by sending you the credentials of the account after successfully log in and change email.


* I want to be honest with you. The hard part of this exploit is that the token refresh automatically everytime the user login to his account. So from my experience 5 - 7 days it's the max to successfully find the token. If it takes longer i will continue the exploitation until I get don't worry the exploit just runs in the background *


https://t.me/joshferr12222 to talk privately

Exploit in action:

 

[minecraftold]

service is up!

 

[xanthopsia]

CVE-2021-2022 и CVE-2022-2023 конечно звучит эпично, но ты бы посмотрел сначала, что это за уязвимости. Работайте через гарант

 

[elvira]

looks like a scam. In systems this large, every token has a timeout. Once you find the right coin among billions of tokens, the token will expire. Usually all tokens are deactivated within 24 hours. Also, if you have the ability to hack such a large system, please note that python has multithreading.

 

[AMG_1337]

судя из эксплойта если автор не балабол что сомнения 99.99%
У инстаграма если алгоритм восстановления пароля, в котором судя по всему есть максимальное значение токенов которое может быть, но мне в это мало верится и как ты собрался брутить ссылку на восстановления если она живет всего лишь 1 день и если юзер запалил твой запрос на восстановление он нажмет кнопку и твой токен рип.
Вообщем звучит бред

 

[Xipher_]

minecraftold: newbie scammer create poor python script in termux generate fake tokens trying to scam users in xss.

 

[minecraftold]

looks like a scam. In systems this large, every token has a timeout. Once you find the right coin among billions of tokens, the token will expire. Usually all tokens are deactivated within 24 hours. Also, if you have the ability to hack such a large system, please note that python has multithreading.

yeah the token will expire when I will logout from the account. I would already did my job by changing email / password. What's wrong with python multithreading? It's a good thing in my case actually.

 

[elvira]

yeah the token will expire when I will logout from the account. I would already did my job by changing email / password. What's wrong with python multithreading? It's a good thing in my case actually.

dude, what you think is just bullshit. There are billions of possibilities, it's impossible to send so many requests before the token expires.(I think the token for instagram only lives for 1 or 2 hours.) Even if you could do that, it would take millions of residential proxies for the job. When you send 10k+ requests to Instagram, you will see http 429 status code.

Instagram token like this [a-zA-Z0-9]{64} like this. Get this shit out of your head and start seeing a math teacher.

 

[minecraftold]

dude, what do you think is just bullshit. There are billions of possibilities, it's impossible to send so many requests before the token expires.(I think the token for instagram only lives for 1 or 2 hours.) Even if you could do that, it would take millions of residential proxies for the job. When you send 10k+ requests to Instagram, you will see http 429 status code.

Instagram token like this [a-zA-Z0-9]{64} like this. Get this shit out of your head and start seeing a math teacher.

If you do a research Instagram token is 6 digit and max 2 duplicates. The bruteforce of Instagram token is done on reset password link not straight forward.It doesn't even need proxies, it is not login page it's a reset link.

 

[elvira]

If you do a research Instagram token is 6 digit and max 2 duplicates. The bruteforce of Instagram token is done on reset password link not straight forward.It doesn't even need proxies, it is not login page it's a reset link.

Yes, I wish our dreams came true . Now wake up and call your math teacher . Minecraft thinking that the rate limit is only valid on POST.