We often assume that Two-Factor Authentication (2FA) is a silver bullet for security. But what happens when the attack doesn't steal the password, but the session token itself?
Last week at BOS.al, we analyzed a sophisticated phishing attack targeting Instagram business accounts in Albania. The vector? A fake 'Copyright Infringement' DM that tricked users into granting OAuth permissions to a malicious third-party app.
Unlike traditional credential harvesting, this method bypasses standard login protections. Once the user clicks "Authorize," the attacker gains a persistent access token. This allows them to automate actions—like posting spam or messaging followers—without ever needing to bypass 2FA again or trigger a "suspicious login" alert.
In this post, I want to share a technical breakdown of how this exploit works and the specific steps we took to identify the intruder, revoke the malicious API permissions, and sanitize the account.
While I'll cover the core concepts here, we have published the full step-by-step recovery guide (including screenshots of the specific settings menus) in our official case study:
Top comments (0)