Revoking Another Users 2FA Phone Number on Instagram ($5000 USD)
Original Post:
We discussed this vulnerability during Episode 93 on 25 October 2021
The gist here is that One-Time-Password brute-force prevention was based on IPs, so using IP rotation could get around that.
The overall attack chain was to attempt to register a new account using an existing accounts phone number. The OTP is sent to validate the new account, it can be bruteforced, and then once validated, any existing user that is using that phone number as a 2FA will have it removed. Allowing the attacker to remove the phone number as a 2FA option.