How I hacked Instagram and disabled my read receipts.
I recently watched a YouTube video by Mrwhosetheboss on an Instagram story that makes your device crash (link: https://youtu.be/OHlZXyhG3eQ)
so, the only logical thing to do for my high on caffeine self was to try to do it myself.
Why did the phone crash?
To explain in a simplified manner, the first thing to note is that Instagram stories are not just images. They have a lot of different stickers, polls, QnA, countdowns etc. All these elements contain a lot of different properties like height, width, text, color etc.
What the attacker in the video did was simply alter the height and width of such a sticker/other element so large, that our device will hang trying to show it to us.
Another story which made the device crash used the same method. The attacker altered one (or more) of the data fields in the story to something inconceivable by the device that made it crash (eg: put some garbage text instead of date in a countdown)
This sounds easy in principle, but the execution is more complicated than it seems. After all, an app such as Instagram isn't going down without a fight.
HTTP Proxy
So you might be wondering how did the attacker manipulate the data of the story (as we all know using the app we can’t make the height of the sticker 1890808408503948503453409485 pixels)
To achieve this, the attacker used something known as HTTP proxy.
HTTP: communication protocol on which data is sent and received on the internet
HTTP Proxy: Acts as an intermediate between your device and the internet. It intercepts all the data going through your device (which can then be manipulated).
Setting up your proxy
For this purpose I used Burp Suite. Burp Suite is a favorite in the info-Sec community. It has an arsenal of different tools for the user to conduct a variety of different web based attacks. Anyone interested in cybersecurity must learn to use Burp Suite.
First I set up the listener on burp suite for my WiFi network on the port 8090 that will intercept all the data that is going through port 8090 on my WiFi network.
Next, I set up proxy on my android device to send all its data through port 8090 of my laptop’s IP address.
Now, my HTTP proxy is set up. But as this isn’t 2010, simple HTTP will not be of any use to us. So, to use my proxy with HTTPS, I must install a certificate on our android device. To do that, I navigate to http://burpsuite and download my CA certificate. Then I install it as for apps and browsers by clicking on it in my file manager.
HTTPS: A secure version of HTTP, where the data sent and received is encrypted
CA certificate: A certificate used to verify the identity of the user and the server when using HTTPS protocol.
Our HTTPS proxy is set up now
Can I hack it now?
Not quite yet. I was thinking that my proxy is set up now and is working with my browser, so it must be working with my Instagram app. But when I checked Burp, there were no requests from Instagram. However, there were a lot of error messages piling up.
After around 30 min of googling and troubleshooting, I came to know that Instagram uses something known as Certificate Pinning.
Certificate pinning: a method used by apps to stop Man in the middle attacks by verifying the certificates being used in a device.
Certificate pinning validates the certificate in use with a known copy in the server. This way any third party or malicious certificates will not work with the app.
The only workaround I could find for this was to decompile the Instagram app and change the source code. But that looked like too much of a headache. To my rescue came a GitHub repository which had already done this for me
(link: https://github.com/itsMoji/Instagram_SSL_Pinning). After installing this APK, my HTTPS proxy was working okay with the Instagram app (not perfect though. Only some features were working).
Lets get crackin’
So in the starting I was messing around with the stories to see if the height and width exploit works or not. But as expected, Instagram has patched that vulnerability.
So I proceeded in a different direction and wondered if i could manipulate the timestamp of the messages that i send. So i started looking for keywords like time and timestamp in the requests that my burp proxy intercepts.
I started playing around with the requests. Giving garbage data to the fields that expected a timestamp. And viola! After a few attempts I was successful in removing the seen receipt of the person receiving my message. This means that now I can read messages without the other person knowing!
This is where the effects of caffeine started to wear off and I decided to call it a night
ABOUT ME
I’m Vinayak Dubey, an undergrad CSE student from VIT Vellore, India.
My interests and skills include Cybersecurity, ethical hacking and robotics.
Feel free to contact me regarding any queries/ issues or if you just wanna network.
