Contents
5.3.2 Instagram
We found that Instagram was vulnerable to the Trojan Identifier Attack.
Trojan Identifier Attack (Alternative identifier variant).
In Instagram, identifier verification is mandatory when creating an account. Nevertheless, an attacker could create an account using the attacker’s phone number, and associate the victim’s email address to the created account. This would cause a verification email to be sent to the victim’s email address. However, based on our assumptions in Table 1, some victims might ignore this email. When the victim subsequently tried to create an account using their email address, they would find that an account already exists (and might misinterpret this as e.g., being related to the acquisition of Instagram by Facebook, if they already have a Facebook account with the same email address). The victim might recover the account and start using it. The attacker would then be able to sign into the account by requesting a one-time sign-in link to be sent to the attacker’s phone number. However, the attack can be thwarted if the victim notices and removes the attacker’s phone number from the account. As Instagram is a social network and an IdP, a successful attacker would be able to access photos and videos shared by the victim and members of their network, and sign in to other services where the victim uses Instagram as an IdP. The attacker would also be able to read the chats of the victim and impersonate the victim. When we responsibly disclosed our findings to Instagram in July 2021, they noted that their identifier verification emails include a link to report suspicious sign ups. However, it is unclear how many victims would take action in this situation, as previous studies (e.g., [2]) have shown user-initiated security decisions to be ineffective. Additionally, Instagram also noted that it is the responsibility of the users to look for Trojan identifiers in their profile.