Disavow Flow is Not Properly Enforced in Instagram [1000 USD Bounty]

When a malicious actor gets access or changes is done to user account. A disavow email will be sent to the original email of the user. That email will contain a link “secure your account” that will allow him to recover his account.

Disavow flow is a feature in Instagram in which it is possible to regain access to the account directly from the email in case that account was hacked or compromised. If a hacker accessed the account and changes is done to the account (changing password/email) or a suspicious login attempt is detected, an email will be sent the original email of the user. There he can disavow the action by clicking “Secure your account”.

However, a bug in Instagram will revoke the password reset token that will not allow the victim to change his password. For instance, if the attacker compromised the victim’s account, attacker can simply enable two-factor authentication and temporarily disable the victim’s account. So even the victim will received the disavow email, it will no longer be useable.

Repro Steps
Users: User ABC (Victim), User XYZ (Attacker)

1. Supposed User ABC account was compromised by User XYZ
2. A disavow notification will be sent to User ABC email who is the original owner of the account
3. User XYZ would like to disable the disavow action
4. User XYZ enable 2FA on User ABC account and then temporarily disable the account
5. User ABC tries to disavow the action by clicking “secure your account” but it will not proceed.

Timeline:

04/14/2022-Report Sent

04/20/200-Marked as Duplicate (Self dupe of my other report)

04/20/2022 -Ask the difference between two reports (Several conversations happened)

05/04/2022 -Triaged
06/15/2022– 1000 USD Bounty awarded including bonus

06/30/2022- Vulnerability fixed

Follow me on Twitter