When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Instagram is one of the most popular social media platforms worldwide, and its mobile app supports managing multiple accounts seamlessly. Users can switch between different Instagram profiles without logging out, making it easier to separate personal, business, or other accounts on the same device.

One of Instagram’s essential security features is two-factor authentication (2FA), which adds an extra layer of protection by requiring users to verify their identity beyond just a password. Among the available 2FA methods, SMS-based verification is widely used due to its simplicity and effectiveness. However, while testing Instagram’s multi-account creation process, I uncovered a surprising flaw related to SMS-based 2FA that could impact user security and privacy.

Description of the Issue

While logged into an Instagram account with 2FA enabled using SMS and an authenticator app, I used the “Add Account” → “Create New Account” feature to register a second account with the same Gmail address. What I found was concerning: Instagram automatically enabled SMS-based 2FA on the new account without sending any verification code or requiring my consent.

Technically, this means Instagram reused the previously verified phone number from the first account and silently activated SMS 2FA on the new account. This behavior bypasses the critical security step of verifying that the user has access to the phone number, which is fundamental to the integrity of 2FA.

How to Reproduce the Issue

  1. Log in to Instagram on the mobile app with an account (Account A) that has two-factor authentication enabled via SMS and authenticator app.

  2. Navigate to the profile section and use the “Add Account” → “Create New Account” option.

  3. Register a new Instagram account (Account B) using the same Gmail address linked to Account A.

  4. After creating Account B, go to: Settings → Security → Two-Factor Authentication → Text Message.

  5. Notice that the phone number from Account A is already populated and SMS 2FA is enabled, without any request for a verification code or confirmation.

  6. Try disabling and re-enabling SMS 2FA on Account B to observe that Instagram still does not require fresh phone number verification.

Security and Privacy Impact

This issue presents several serious risks:

  • Bypassing 2FA Verification: The core purpose of SMS-based two-factor authentication is to require a second proof of identity, typically an OTP sent to the user’s phone. Instagram skipping this step weakens the security model and increases the risk of unauthorized access.

  • Silent Phone Number Linking: Automatically reusing a phone number between accounts without verification creates a hidden link between those accounts. This raises concerns about privacy, as it can expose users to unwanted tracking or account association.

  • Account Takeover Potential: If an attacker gains access to the Gmail account or an active Instagram session, they could create new accounts with 2FA automatically enabled on a phone number they do not control, making detection and recovery more difficult.

  • User Consent Ignored: Security features that activate silently without informing users undermine trust in the platform and its security mechanisms.

Business Impact

From a business perspective, this flaw can have significant consequences:

  • Erosion of User Trust: Users expect 2FA to provide genuine security. Discovering that Instagram silently enables 2FA without verification may lead to doubts about the platform’s commitment to security.

  • Increased Support Costs: Confused or impacted users might contact customer support more frequently for account recovery, lockouts, or clarifications, increasing operational expenses.

  • Potential Regulatory Scrutiny: Privacy and security flaws related to authentication may attract attention from regulators, especially in jurisdictions with strict data protection laws.

  • Reputational Damage: News of such security issues can damage Instagram’s brand, especially in the competitive social media market where trust is key.

Conclusion

In my testing of Instagram’s multi-account creation feature, I found that SMS-based two-factor authentication could be enabled on a new account silently, reusing a phone number verified on an existing account without asking for fresh confirmation. This behavior bypasses a fundamental security step, creating privacy and security risks for users.

This issue highlights the importance of treating each Instagram account as a separate security entity, requiring explicit user verification for sensitive features like 2FA. Ensuring that verification codes are sent and confirmed each time strengthens security and maintains user trust.

Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more