Social engineering on Instagram
This article will be about hacking Instagram accounts due to the inexperience of their owners. All this is described for informational purposes only.
The key to hacking will be prior access to the victim's mail. With the advent of the era of two-factor authentication, many mail services have refused the possibility of restoring an account using a secret question, but not all. Yandex and Rambler still offer users instead of a phone number to enter an answer to a secret question, this will help us.
Now the main task for us will be to find those Instagram accounts to which the mail we need is tied. In order not to manually review the profiles in search of the “Contacts” button or “E-mail address”, I wrote a simple Python script that collects the logins of subscribers of a certain person and sends a password reset request to everyone, and the server response is written to the file:
Here we see the lists of profiles and their mailing addresses, or rather a small part of them, but capable of telling us what kind of mail service it is. In this case, I chose the first yandex.ru that came across.
We go to this profile and see that contacts are indicated among which the desired e-mail address.
Ok, now go to the Yandex website and try to reset the password. As expected, we are asked to answer the question "Name of the dog."
Hmm ... Having tried the most popular (Jack, Gerda, Bug), nothing happened. Will have to act in the framework of social engineering.
We create a fake account, put a cute animal on the avatar and take the nickname animal___planet. Done, now you can write to the victim:
Voila, we have the answer to the secret question, we have the login profile associated with this mail. I’ll say from my own experience that most people don’t use two-factor authentication on Instagram, that's why we easily restore it, as well as many services that are also tied to this email address.
The key to hacking will be prior access to the victim's mail. With the advent of the era of two-factor authentication, many mail services have refused the possibility of restoring an account using a secret question, but not all. Yandex and Rambler still offer users instead of a phone number to enter an answer to a secret question, this will help us.
Now the main task for us will be to find those Instagram accounts to which the mail we need is tied. In order not to manually review the profiles in search of the “Contacts” button or “E-mail address”, I wrote a simple Python script that collects the logins of subscribers of a certain person and sends a password reset request to everyone, and the server response is written to the file:
Here we see the lists of profiles and their mailing addresses, or rather a small part of them, but capable of telling us what kind of mail service it is. In this case, I chose the first yandex.ru that came across.
We go to this profile and see that contacts are indicated among which the desired e-mail address.
Ok, now go to the Yandex website and try to reset the password. As expected, we are asked to answer the question "Name of the dog."
Hmm ... Having tried the most popular (Jack, Gerda, Bug), nothing happened. Will have to act in the framework of social engineering.
We create a fake account, put a cute animal on the avatar and take the nickname animal___planet. Done, now you can write to the victim:
Voila, we have the answer to the secret question, we have the login profile associated with this mail. I’ll say from my own experience that most people don’t use two-factor authentication on Instagram, that's why we easily restore it, as well as many services that are also tied to this email address.
All Articles