Instagram account is reactivated without entering 2FA ($500)
Description:
When we have 2FA enabled in our instagram account and lets say i’ve instagram account with 2FA enabled, i’ve now deactivated it for any reason like instead of deleting i deactivated my instagram account so no one views my instagram profile or the data in it etc so what i’ve found is if i’ve deactivated my 2FA enabled instagram account and an attacker got my instagram pw from anywhere, if my instagram is deactivated and has 2FA enabled, the attacker only need to enter my password and when the attacker will reach to 2FA page, they won’t need my 2FA and account will be reactivated whereas it doesn’t happen on facebook which shows that it is indeed a vulnerability, and many users may get affected due to it. where as 2FA is a part of authentication and account is not fully authenticated without 2FA but here we can reactivate the account without entering 2FA which is a misconfiguration whereas 2FA is part of authentication and none action should be made without 2FA whether it is reactivation or anything.
Timline:
24 June, 2019: Triaged
18 July, 2019: Fixed
20 July, 2019: Bounty awarded $500
Twitter: https://twitter.com/amansmughal
