Exploiting Premium Phone Numbers to Steal Money from Instagram, Google, and Microsoft

Large internet services place a high priority on security, yet the same platforms often suffer from critical flaws; a researcher discovered that Instagram, Google, and Microsoft each allowed attackers to abuse premium (paid‑rate) phone numbers to generate revenue.

Instagram vulnerability : When a user links a phone number to an Instagram account, the service sends a six‑digit SMS code. If the code is not entered within three minutes, Instagram initiates an automated voice call to the provided number using a US‑based premium phone line. The underlying request can be seen at https://i.instagram.com/api/v1/accounts/robocall_user/ , which is rate‑limited to one call per 30 seconds per account. By creating many accounts linked to the same premium number, an attacker can earn roughly $1 per 30‑second call, scaling to $48 per day per number and up to $1.7 million per year with 100 accounts.

The issue was reported to Facebook’s bug‑bounty program, initially dismissed, then accepted, and ultimately resulted in a $2,000 bounty (later doubled to $4,000) and a public acknowledgment.

Google vulnerability : Google offers voice‑based two‑factor authentication via premium numbers. After linking such a number, Google will call the number and read a six‑digit code. The service permits up to ten calls per hour to the same number, regardless of answer. By automating the process with Selenium and a SIP gateway (e.g., Blink), an attacker can extract about €12 per day per number, or €4320 per year, which can be multiplied 100‑fold with 100 numbers and accounts.

Google’s response classified the behavior as an “acceptable risk” and awarded the researcher an honor on their “hall of fame” without monetary compensation.

Microsoft vulnerability : During the Office 365 trial registration, Microsoft also calls any supplied premium number. The researcher discovered two bypass techniques: (1) prefixing the number with zeros (or country code) to generate many valid variants, and (2) appending up to four random digits as a suffix. These methods increase the usable number of variants to 172 and, when combined with the maximum of seven calls per variant, yield over 13 million calls per number, equating to roughly €668 882 in revenue per premium number. Concurrent calls (up to ten simultaneous streams) further increase earnings.

Microsoft eventually patched the prefix‑bypass in March 2016 and the suffix‑bypass later, and awarded the researcher a $500 bounty, noting the limited impact on Microsoft’s own customers.

All three platforms eventually mitigated the abuse, but the research highlights how premium‑rate telephone services can be weaponized for profit and underscores the importance of validating phone numbers and rate‑limiting voice‑based authentication flows.