A security researcher found vulnerabilities in Instagram, Google, and Microsoft enabling him to drain money from the companies. Here's how he did it.
Instagram: Link Account to Premium Number
Instagram supports linking a mobile phone number to an account, which allows other users to look them up in Instagram’s global address book. After entering the mobile phone number, Instagram sends a text with the 6-digit token:
However, if one does not enter the code within three minutes on the following screen, Instagram will call from California:
This call would last around 17 seconds. The underlying request who causes this is the one outlined below in burp repeater:
The request to https://i.instagram.com/api/v1/accounts/robocall_user/ could only be replayed once every 30 seconds due to rate limiting. However, it was also noticed that Instagram would happily call any number that was supplied to them, such as a premium number of 0.06 GBP/minute in the UK registered via eurocall24.com:
Read the full post here, including details of Google and Microsoft attacks:
https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/