July 10, 2026
INSTAGRAM Account Takeover 0-click Username and email Collision in Password Recover
Hello everyone,

By Ali
5 min read
Hello everyone,
A Indian hacker and a student so the story begin with hacking when i have completed my ethical hacking i went to web application hacking "Bug Bounty" and learned about everything like Idor , rate limit ,race conditon , xss ,rce smuggling request of http and…etc
On the 3 day of learning i founded a stored xss on the 20.min website at bug crowed i was to happy i have reported it but after reporting like 1 day got duplicate one of the top turkey hunter had reported first as i have seen
so i got some motivated i have learned more and i am just trying and reported tried everything but its been almost 2 months got rejected not applicable and total 12+ duplicate so i decided to learn more got http and everything trying new things and i am doing it for like 3 months and finally i tried with x(twitter) so i tried but the backend was not accepted so
Next i go to instgarm and tried a account of mine where i was able to login with 0-click and tried more it can also lockout the victim account so let me explain clearly
In simple we can say as :-
Username to Email Collision Vulnerability in Password Reset Allows Account Takeover This Collision Leading to Unauthorized Account Access
For example My account i am victim and my username will be like
@metabugs and this is my instagram username and the email linked with
random@gmail.com. So next step a attcker can perform is he will create a new email like same as username like this "metabugs@gmail.com" and go after making new email he will go to password reset and add this email
and even if you will enter the username both will get sended password reset link and if you just add the email new which was created the pass rest link will come to "metabugs@gmail.com" and after reset i have saw the email was added with 0-click without any intracation and i was able to remove the older mail with out any verfication i am getting the otp at new email
So disclamer about gmail once a gmail was deleted it cant be create it self even the owner can make the same email address so it is clean ato bug that username and email collison.
So next i tried with another account it was not comming so there was more number of instagram so i was thinking how can i report if they wont able to reproduce what so i have just seen somthing like a instgram username and gmail checker of the username as the accounts will see without rate limit i can gain accounts i have saw without exploiting i have done my work
GraphQL internal APIs to send or recover and etc like one of example
/api/v1/accounts/send_recovery_flow_email/api/v1/accounts/send_recovery_flow_emailSo i have taked it as detail where i have reported two bugs one is with proffesional way second somthin like using the scripts as without exploiting it i have said but the scripts was not aplicable so i decieded
the another bug was clean and got like trige
So i got this report id #812574811558003
i am still waiting because i have used bug crowd and hackerone platforms they do give response faster so i decided to report once again because maybe they are not seen so i have done same at november 28 same got response
Friday 28 November 2025 at 04:07
Our reply
Hi Md,
A member of Meta’s security team has seen your report and performed an initial evaluation.
We will get back to you once we have more information to share.
Thanks,
Meta SecurityFriday 28 November 2025 at 04:07
Our reply
Hi Md,
A member of Meta’s security team has seen your report and performed an initial evaluation.
We will get back to you once we have more information to share.
Thanks,
Meta SecurityThis report id :- #831844292964388
So after all i have waited a lot and finnaly i came to know they have fixed this bug at January 1 week and still i have waited for response for every single day they will responses and i can finally get a my big reward and get into hacker+ but after all finally at march 10 like almost 128 days i got reply
Like lol i am fully frusted i just hated this message and another report which i have reproted at nov 28 that reply also came same at next day
I FULLYY TOUGHT META SAYS TO MUCH ABOUT BUG BOUNTY AND THEY WILL PATCH SILENTLY AND SAY NOT APLICABLE
even after this i have reported pixel server dos and sop bypass attck both are still new like from 18 weeks
But well if attcker gain this method they can do as you all are bug bounty knows the impact of 0-click ato
Well if you are bugbounty hunter you know well how i felt for this worst meta bug bounty program just hipe they will see for there top reserchers only
So i decided let me try to connet with meta bug bounty team i have done osient and i am able to find 6 members i got emails and conatct info in that there was a person in linkdin "META BUGBOUNTY MANGER" he use to final the report and all head if the meta bug bounty team and i have osient him i got emails and phone number of him i have emailed him no response and then he connected with me in linkdin and he wont see message but there was a comment of him he is saying to hunt on meta we pay more and have good response so i said to him what about my ato sir atleste according to policy you can say when it was reported before if it will duplicate i have reported twice 28 days before and begain also your team maybe got misunderstanding so he usally blocked me his name is Roman Lifshits he is form israel maybe he is the manger of meta bug bounty
let uss se what happen i have added a request the status was Review Requested from past 121 days.
At last i wont report new bugs to meta where i founded 1 critical bug as same on instagram and 2xp4 like bugs i wont report it i stoped meta bug bounty hunting worst experience.
IN SIMPLE EXPLAINTION PIC
Step to reproduce
1. find a username type platform rember in the reset option there should alow to add username
2. create a same gmail like username. what type of account you are doing the
email domain part you shold know like yahoo gmail etc. it will work only for same email domain
3. creat check the email is avlaible if avliable create else check diffrent account
4. go to app send reset link you will get to your new email
Example:-
i have a account username is @metabugbounty this is linked with random@gmail.com
i will creat a new email like metabugbounty@gmail.com and go to instgarm then
password reset link i will send it will come in metabugbounty@gmail.com
where as it should go to random@gmail.com. so i will login and remove the old mail
buypass 2fa with new email because the server added this email without any verfication
By my assmuption the server works like if you send the reset link it will travel
through username like it will go metabugbount the server get confuse because they will send
like sending username or new email like m****y@gmail.com
Reset
email == username = server then server == email == username confuse and add new emailStep to reproduce
1. find a username type platform rember in the reset option there should alow to add username
2. create a same gmail like username. what type of account you are doing the
email domain part you shold know like yahoo gmail etc. it will work only for same email domain
3. creat check the email is avlaible if avliable create else check diffrent account
4. go to app send reset link you will get to your new email
Example:-
i have a account username is @metabugbounty this is linked with random@gmail.com
i will creat a new email like metabugbounty@gmail.com and go to instgarm then
password reset link i will send it will come in metabugbounty@gmail.com
where as it should go to random@gmail.com. so i will login and remove the old mail
buypass 2fa with new email because the server added this email without any verfication
By my assmuption the server works like if you send the reset link it will travel
through username like it will go metabugbount the server get confuse because they will send
like sending username or new email like m****y@gmail.com
Reset
email == username = server then server == email == username confuse and add new emailA clean account takeover with my 1 month nights effort what next.
well you can freely comment or mail me if you want to talk or something details about once the Review Requested one it will resolve with this i will share there response and make new write up in that i will add all poc even videos of account takeover.
ignore mistakes and spelling.
THANK YOU.
indian.hackers.for@proton.me