\nIt must be the season for API security incidents. Hot on the heels of a developer leaking an API key for private Tesla and SpaceX LLMs, researchers have now discovered a set of tools for validating account information via API abuse, leveraging undocumented TikTok and Instagram APIs.<\/p>\n
The tools, and assumed exploitation, involve malicious Python packages – checker-SaGaF, stein lurks, and inner core – uploaded to PyPI. These packages automate the process of verifying whether a stolen email, username, or password were linked to an active account. In this post, we\u2019ll explore the details of this incident and how Wallarm can help protect against similar API misuse. <\/p>\n
## What Happened: APIs Turned into Recon Tools<\/p>\n
Each of the packages targeted legitimate, largely undocumented API endpoints used by official apps for account recovery, login checks, and signup flows. By leveraging these API endpoints, the tools confirmed whether a given email, username, or password was tied to a valid account without triggering alerts. <\/p>\n
For example: <\/p>\n
* **TikTok\u2019s internal password reset API** was used to send fake password recovery requests. If the API returned a \u201cSent Successfully\u201d response, attackers would know the email and be connected to a real account.
* **Instagram\u2019s login API** was probed with dummy credentials. If the error response indicated a wrong password, but didn\u2019t mention the user was invalid, it confirmed the username existed.
* **Additional Instagram endpoints** were used to check email availability during signup, trigger password resets, or query user lookup APIs. These endpoints weren\u2019t meant for public access, but since they were accessible over the internet, they were fair game for abuse. <\/p>\n
This isn\u2019t really a compromise, per se. It\u2019s a toolset supporting automated and scalable reconnaissance using these platforms\u2019 own APIs to do the heavy lifting. <\/p>\n
## The Stakes: Why Validation Matters<\/p>\n
By chaining the validation tests available in these tools, attackers could build verified lists of active TikTok and Instagram accounts. By validating credentials, malicious actors dramatically increased their value for resale and provide a reliable foundation for future attacks like credential stuffing or phishing. <\/p>\n
Some of the tools and tests rotated user agents, spoofed device details, and randomized requests to avoid rate limits and detection. This means credentials weren\u2019t added to platforms like Have I Been Pwned, which track exposed credentials, demonstrating a level of sophistication beyond basic bot activity. <\/p>\n
What\u2019s more, because password reuse is still rampant, testing credentials on platforms like Instagram or TikTok allows attackers to identify which ones might work elsewhere, such as on email, online banking, or e-commerce accounts. Essentially, attackers turned these legitimate APIs into reconnaissance tools, helping them map exploitable identities. <\/p>\n
## Malicious Automation, Disguised as Normal Behavior<\/p>\n
These credential checkers are an example of how malicious automation can leverage legitimate apps to evade detection. For example, steinlurks used multiple functions to target Instagram, cycling through different endpoints, rotating session IDs, and spoofing device details to avoid detection. <\/p>\n
This isn\u2019t just API abuse; it’s stealthy, adaptive automation designed to blend in with real user traffic and fly under the radar of traditional defenses. <\/p>\n
## Detecting API Abuse: Why Behavior Matters<\/p>\n
Because these requests resemble legitimate application requests, conventional defenses like IP blocking, rate limits, or static bot detection aren\u2019t enough. Organizations need behavioral detection, monitoring how APIs are used over time, instead of looking at individual requests. While these testing tools may send requests that are crafted to appear valid, they don\u2019t replicate the applications\u2019 behavior across a whole session. <\/p>\n
This is where Wallarm\u2019s API Abuse Prevention capability comes in. We combine machine learning (ML) and statistical analysis to detect signs of abuse, including: <\/p>\n
* Abnormal request rates or patterns
* Session and IP rotation behaviors
* Low endpoint diversity, indicating bots hitting specific functions repeatedly
* Unusual authentication activity
* Intent-based signals, such as initiating recovery flows without prior login attempts<\/p>\n
Wallarm\u2019s detectors establish baselines for specific aspects of application behavior over time, then identify anomalous sessions. The combination of detectors point towards specific malicious behaviors, like account takeover attempts. When the platform detects suspicious activity, it automatically blocks or throttles the source, minimizing the risk of abuse. <\/p>\n
<\/p>\n
## What Security Leaders Should Do<\/p>\n
To protect against sophisticated API abuse like credential validation campaigns, security leaders should take the following steps: <\/p>\n
* **Audit API Endpoints:** Regularly review all exposed APIs, including account recovery, login, and user lookup endpoints. Use API discovery tools to identify undocumented or shadow APIs.
* **Harden Error Responses:** Standardize and sanitize error messages to avoid revealing whether an account exists.
* **Monitor Behavior, Not Just Volume:** Go beyond rate limits. Use behavioral monitoring to detect unusual patterns, such as repeated access to specific endpoints or inconsistent session activity.
* **Use Real-Time Abuse Prevention:** Deploy tools like Wallarm that use ML to detect and block automated attacks based on intent and context, not just volume or headers.
* **Update Models Frequently:** Reflect new abuse methods in your threat models and risk assessments. Evolve your defenses as attackers evolve tactics.
* **Limit Data Exposure:** Review what data your APIs return and enforce the principle of least privilege. Don\u2019t expose more than you need to.
* **Secure Access Controls:** Enforce authentication and authorization for sensitive operations. Ensure endpoints like password resets can\u2019t be accessed anonymously. <\/p>\n
Ultimately, combining smart design, real-time protection, and continuous monitoring will help turn your APIs from soft targets into hardened assets. <\/p>\n
## Open APIs Need Intelligent Defenses<\/p>\n
APIs are designed to be open and accessible. Unfortunately, that openness creates risk. The TikTok and Instagram credential checker campaigns show how attackers can quietly exploit APIs to validate stolen data without ever tripping an alarm. <\/p>\n
This wasn\u2019t a breach in the traditional sense. It was a quiet, calculated misuse, turning helpful features into tools for exploitation. If you\u2019re not actively monitoring _how_ your APIs are used, not just how often, you\u2019re missing the early signs of abuse. And in today\u2019s increasingly treacherous threat landscape, early detection is everything. Want to find out more about how Wallarm can help protect your organization from evolving API abuse? Schedule a demo.<\/p>\n
The post Attackers Abuse TikTok and Instagram APIs appeared first on Wallarm.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Attackers Abuse TikTok and Instagram APIs Update ID WALLARMLAB:D21280A45302F6F584FDC8F477E20746 Type wallarmlab Published 2025-05-22T13:50:29 Last Updated 2025-05-22T13:50:29 Security Impact CVSS…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,7,11,5,105],"class_list":["post-5685","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n
Attackers Abuse TikTok and Instagram APIs - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5685\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attackers Abuse TikTok and Instagram APIs - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Attackers Abuse TikTok and Instagram APIs Update ID WALLARMLAB:D21280A45302F6F584FDC8F477E20746 Type wallarmlab Published 2025-05-22T13:50:29 Last Updated 2025-05-22T13:50:29 Security Impact CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5685\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-22T09:43:57+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Attackers Abuse TikTok and Instagram APIs\",\"datePublished\":\"2025-05-22T09:43:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685\"},\"wordCount\":1124,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5685#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685\",\"name\":\"Attackers Abuse TikTok and Instagram APIs - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-22T09:43:57+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5685\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5685#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Attackers Abuse TikTok and Instagram APIs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attackers Abuse TikTok and Instagram APIs - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5685","og_locale":"en_US","og_type":"article","og_title":"Attackers Abuse TikTok and Instagram APIs - zero redgem","og_description":"Security Update News Update Information Title Attackers Abuse TikTok and Instagram APIs Update ID WALLARMLAB:D21280A45302F6F584FDC8F477E20746 Type wallarmlab Published 2025-05-22T13:50:29 Last Updated 2025-05-22T13:50:29 Security Impact CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=5685","og_site_name":"zero redgem","article_published_time":"2025-05-22T09:43:57+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5685#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5685"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Attackers Abuse TikTok and Instagram APIs","datePublished":"2025-05-22T09:43:57+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5685"},"wordCount":1124,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5685#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5685","url":"https:\/\/zero.redgem.net\/?p=5685","name":"Attackers Abuse TikTok and Instagram APIs - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-22T09:43:57+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5685#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5685"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5685#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Attackers Abuse TikTok and Instagram APIs"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5685"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5685\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}