Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability!

(Photo Illustration by Thomas Trutschel/Photothek via Getty Images)

Hi Guys, I hope all of you are doing great and in a well state.

Today i will show you a ClickJacking bug i found in Instagram that allowed me to iframe ajax responses and leads attackers to steal your instagram connected applications tokens hence hijack your account!

Continue reading “Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability!”

Share

Let’s steal some tokens!

 

Hey There, How you doing?

Good? Cool!

In this blog post I will be talking about my experience with minor bugs chained together to steal sensitive tokens.

#1. Stealing CSRF tokens through Google Analytics.

While randomly testing things on apps.shopify.com, I landed at some random app page and hit the Write a review button, I wasn’t logged in so I was redirected to the login page and after logging in I was redirected to the application page again. Ok, that’s normal. However, what wasn’t normal is that the URL I got redirected to contained this GET parameter authenticity_token=[CSRF_TOKEN].

Continue reading “Let’s steal some tokens!”

Share