Posts

Bypassing Claude AI Free-Tier Rate Limits via Account Deletion and Recreation

Overview A significant issue has been identified on Claude AI’s platform where users can bypass imposed usage rate limits on free-tier accounts by simply deleting their account and immediately re-registering using the same email address. This loophole effectively resets the usage counters, allowing unrestricted free access and enabling potential abuse of the platform’s resource allocation and monetization strategies. While this behavior does not directly compromise system security or user data confidentiality, it highlights a critical gap in business logic and platform design that could have severe financial and operational impacts if left unaddressed. Description of the Issue Claude AI enforces daily or monthly usage quotas for free-tier accounts to manage resource consumption and encourage paid upgrades. However, this enforcement currently ties limits only to active account sessions, without persistent tracking of user identities beyond account existence. Users who reach their...
Post a Comment
Read more

Critical 2FA Phone Number Auto-Enablement Flaw in Instagram Multi-Account Setup

Overview A significant security flaw has been identified in Instagram’s mobile app involving the multi-account creation feature and two-factor authentication (2FA) settings. This vulnerability silently enables SMS-based 2FA on a newly created Instagram account without any user confirmation or verification, by automatically linking a previously verified phone number from an existing account. This unexpected behavior undermines the fundamental security principle of explicit user consent and verification in 2FA setups, potentially exposing millions of users to unauthorized security configurations. Description of the Issue When a user who is logged into Account A with 2FA enabled via both phone and authenticator app creates a second account ( Account B ) using the same Gmail address within the same Instagram app session, the following occurs: Upon enabling 2FA via SMS on Account B, Instagram automatically activates it using the phone number verified for Account A . This happ...
Post a Comment
Read more

When One Toggle Controls Them All: Active Status Sync Issue in Messenger Lite

Saturday, June 25, 2022 at 11:36 PM Switching between multiple Facebook Messenger Lite accounts on the same device should be straightforward — each account’s settings, including active status, are expected to be independent. But what if changing the active status on one account unexpectedly changes it for all others? During testing, I found a surprising privacy issue that affects multiple Messenger Lite users logged into the same device : toggling the active status (online/offline) on one account causes all other logged-in accounts’ active statuses to switch accordingly — without their knowledge or consent. How It Works Here’s the scenario: You log into User A on Messenger Lite and set your active status to OFF (invisible). Then, switch to User B on the same device. You’ll notice User B’s active status also turns OFF automatically — and you get notified about User A’s status change. Switching accounts repeatedly applies the same active status setting across all accounts ...
Post a Comment
Read more

When Disconnecting Isn’t Enough: Instagram Messages Leak via Creator Studio

Managing social media pages and accounts often involves linking Instagram profiles with Facebook Pages using Creator Studio. This integration lets admins respond to Instagram DMs and comments directly from Facebook’s Creator Studio desktop interface, streamlining content management. But what if disconnecting your Facebook Page from an Instagram account didn’t actually sever access? The Unexpected Risk I discovered a critical privacy flaw involving Instagram accounts sold or transferred to new owners. Even after disconnecting a Facebook Page from an Instagram account in Creator Studio, I could still: View and receive new and old Instagram Direct Messages and comments from the Instagram account I had sold in 2022. Send replies and comments on behalf of that Instagram account, without the knowledge or consent of the new owner or Instagram admin. In other words, despite officially ending the connection, access to sensitive Instagram interactions remained open through Creator...
Post a Comment
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Post a Comment
Read more

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...
Post a Comment
Read more

TikTok’s Tagging and Mention Settings Bypass: A Simple Business Logic Flaw

A couple of years ago, I discovered a significant privacy issue on TikTok related to the tagging and mention settings. At that time, TikTok allowed users to turn off tagging and mentions in their privacy settings — a key control designed to give users more control over their interactions. However, despite these settings being turned off, it was still possible to tag or mention users. This meant that users could receive unwanted mentions or tags even after explicitly disabling them. What Was the Issue? The problem boiled down to a simple business logic flaw: TikTok’s backend failed to properly enforce the “disable tagging/mention” setting. Mentions and tags were allowed regardless of user preferences. This violated users’ expectations of privacy and control on the platform. Why It Mattered For many users, privacy controls are critical. If someone chooses to disable mentions and tagging, they expect that choice to be respected to avoid harassment, spam, or unwanted atten...
Post a Comment
Read more