Like any savvy Internaut I am vigilant to identify and delete spam email so I always carefully review any unexpected item that lands in my inbox before clicking on it. I was suspicious when this email appeared the other day as I am not an Instagram user:
I’ve blacked out personal identifying information in these screen snaps.
My first thought was this item is not a legitimate email from Instagram but I couldn’t find any obvious indication of this. The structure and format of the email and all the links seemed to indicate it was legitimate. I even looked at the message source; the headers and delivery routing all seemed to be appropriate given my limited knowledge of such things:
Received: from mail-ie0-f200.google.com ([220.127.116.11]) by COL004-MC6F25.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Fri, 12 Jun 2015 03:40:11 -0700 Received: by ieua9 with SMTP id a9sf54529306ieu.0 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; X-Received: by 10.182.46.227 with SMTP id y3mr17535455obm.7.1434105611119; Fri, 12 Jun 2015 03:40:11 -0700 (PDT)
Received: by 10.140.86.149 with SMTP id p21ls2413587qgd.34.gmail; Fri, 12 Jun 2015 03:40:10 -0700 (PDT) X-Received: by 10.170.46.136 with SMTP id 130mr17722759yko.73.1434105610950; Fri, 12 Jun 2015 03:40:10 -0700 (PDT)
Received: from mx-out.facebook.com (outmail009.prn2.facebook.com. [18.104.22.168]) by mx.google.com with ESMTPS id x68si1394039ywf.212.2015.06.12.03.40.10 Received-SPF: pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199; X-Facebook: from 2401:db00:2130:70d3:face:0:4f:0 ([MTI3LjAuMC4x]) by api.facebook.com with HTTP (ZuckMail); Date: Fri, 12 Jun 2015 03:40:09 -0700 To: firstname.lastname@example.org
Subject: Highlights from instagram, knighthaak, notafraid2fail and more X-Priority: 3 X-Mailer: ZuckMail [version 1.00]
Reply-to: Instagram <email@example.com> Errors-To: firstname.lastname@example.org
X-FACEBOOK-PRIORITY: 0 X-Auto-Response-Suppress: All MIME-Version: 1.0
X-Original-Sender: email@example.com X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
Ordinarily I would simply delete the email but my curiosity was piqued by its apparent legitimacy so I put it aside for a few days until I had more time to check it out.
When I looked at this email again, I decided to verify if perhaps I had created an Instagram account to check out the service but then abandoned the account and forgotten about it. So I started by directly navigating to Instagram’s login page to look for an account recovery link rather than clicking on any links in the email.
It is worth noting that my email address is very distinctive and unlikely to be similar to another address because it belongs to a vanity domain that is limited to a very small number of users that I know personally. Hence it is impossible that someone unknown to me would have accidentally typed my email address into their Instagram account registration. Hence I felt justified in trying to recover the account as possibly my own.
Having found a link “Forgot?” [password] on the Instagram login page I navigated to the password reset screen. I requested a reset using my email address from the To: line of the original Instagram email, assuming it was linked to a legitimate Instagram account that I created at some point in the past:
The password reset screen was followed by a confirmation screen:
This resulted in a password reset email from Instagram arriving in my inbox which revealed the underlying account name responsible for the original Highlights email, @benoverbrabou:
This deepened the mystery as I had no recollection of having chosen this account name. However, clearly this account was linked with my email address, and once again the email structure and format looked 100% legitimate. So I proceeded to click on the Reset Password link in the email to complete the reset in the hopes of gaining clarification from the Instagram account properties and settings.
In retrospect since I still had doubts about the legitimacy of the Instagram email I should have copied this link into an incognito / private browser session or even better a browser in a virtual machine, to avoid any chance of a drive-by download attack. But I didn’t think of that . It is hard to remember 100% of the safety best practices for email and web browsing! Luckily the Reset Password link was a legitimate Instagram URL, https://instagram.com/accounts/password/reset/confirm/xxxxxx/xxx…/, and this second email actually from Instagram.
The Reset Password link from the second email led to a page on the Instagram website where I entered a new password. Unfortunately I didn’t immediately take a screen snap of this page and it was expired when I tried to navigate back to snap it, so I can’t include it here.
Instead here is a sample of how the screen looked when I attempted to reproduce these steps a few days later:
As an aside, when I reproduce these steps a few days later, the Instagram website behaviour following this password reset page was different than the steps that I describe next. The new behaviour is to redirect to the Instagram login page. Seems like someone noticed the issue that I describe in this blog post, and changed the page flow.
At the time when I first followed this sequence the password reset page was followed by an account verification screen that prompted me to supply my cellular phone number. As I still had some doubts about the Instagram account and the whole situation, I had no intention of providing further personal information to Instagram for this account, so I entered a pseudo phone number:
This was followed by a predictable screen to enter the security coded sent to the phone number provided on the prior screen, a code which I would never receive since I provided a dummy phone number:
This seemed to be the end of my investigation into the Highlights email and the associated mysterious Instagram account @benoverbrabou as it appeared that a confirmed cellular phone number was required as part of the password reset process.
I was about to give up when I looked again at the Reset Your Password (second) email and noticed another option, “If this is not your account you can remove your email from it,” with URL https://instagram.com/accounts/remove/report_wrong_email/xxxxxx/xxx…/:
This seemed like the next best alternative in the event that the account was not mine and my email address was incorrectly or maliciously associated with it. So I proceeded to click on the “remove your email from it” link in the email in the hopes of no longer receiving any further Instagram emails associated with the @benoverbrabou account. This led to a page on the Instagram website confirming that my email was no longer associated with this account.
Unfortunately again I didn’t immediately take a screen snap of the “remove your email” page and the action was invalidated when I navigated back to snap it, so an error message (“This is not a valid link”, partially greyed out by me) was displayed where the original confirmation message was displayed:
Here is a sample of how the screen looked when I attempted to reproduce these steps a few days later:
Once again the latest Instagram website behaviour was different than the steps I describe next. Now the result is to confirm that the email address has been removed from the Instagram account without having the account logged in and hence granting further access to the account. As before it seems the Instagram folks noticed the issue that I describe in this blog post, and changed the page flow.
In the original sequence, the really interesting detail is that the page shows the @benoverbrabou account logged in. This was very surprising as the prior password reset sequence with the request for a cellular phone number for account verification and the security access code gave the impression that the access code was required in order to complete the password reset. However, it appears that Instagram actually completed the password reset with an automatic login without providing any indication of this.
At that point I was able to navigate around the @benoverbrabou account and in particular to select the Edit Profile link from the left-hand navigation which lead to the following page:
The email field clearly contains a dummy email address since it was from the @example.com domain. Having never used Instagram I was not aware how or where my own email address might have been linked or stored as a secondary email address before I deleted it; there was no clear indication of this.
Next I selected the account name from the top navigation bar which lead to the following page:
Fortunately for my sleuthing I was able to navigate back to the account home page and abort the auto-redirect with a simple ESC key sequence, so I was able to fully view the page contents.
Clearly the @benoverbrabou account had never been used as it had no posts, no photos, and no followers or following account.
At this point I had gathered enough information to judge with considerable certainty that the @benoverbrabou account that had been linked to my email address and had given rise to the Highlights email was not an account created by me. Further it seemed quite likely that the @benoverbrabou account was either abandoned or in use by spammers. In either case, I was satisfied having unlinked my email address from the account. I resolved to leave the acount alone and only intervene further with Instagram if this account or any other account again became linked to one of my email addresses.
Coda: Two weeks later I stumbled on the news that the Instagram Highlights email was a brand new feature designed to re-engage users who had lost interest in the photograph sharing service, Instagram ‘highlights’ emails hitting your inbox soon (The Verge, May 24, 2015) and may other tech news sites. The fact that the Highlights email was a brand new occurrence would explain why the circumstances I describe here occurred only just now, and were then patched to avoid information leaking.