Skip to content
/ instagram-private-api Public

#instagram #private #api #signin #reverse #web #encrypt #decrypt #deobfuscate #session #PWD_INSTAGRAM_BROWSER

18 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

M3ikShizuka/instagram-private-api

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
reverse
reverse
 
 
README.MD
README.MD
 
 
index.html
index.html
 
 
signinEncryptData.js
signinEncryptData.js
 
 

Repository files navigation

Instagram private API

Descripion

This is algorithm for encrypting data before sending login request.

Usage

Sign in (instagram private web API version)

Script signinEncryptData.js contain code, which generate post data for sign in request.
You can input you data in call of function generatePostDataForSignIn() run index.html (on web server, for prevent block by CORS policy) and you will get post data for your sign in request.
You must extract the sessionid from the response header (field " Set-Cookie: sessionid=...") this will be your authorized session. You must insert a sessionid in field cookie for every http request that needs to be authorized.
WARNING
if you're using fetch or something else that doesn't have access to HttpOnly cookie fileds, then you need enable use cookie and session. Read more here
  1. Do request to any instagram.com page(ex: https://www.instagram.com/accounts/login/).
    Get params from response header: 
    ig-set-password-encryption-web-key-id: ...
ig-set-password-encryption-web-pub-key: ...
ig-set-password-encryption-web-key-version: ...

    OR
    from html (GET request to any page ex: https://www.instagram.com/accounts/login/):
    HTML response ex:

    ...
<script type="text/javascript">window._sharedData = {
    "config": {
        "csrf_token":"..." ... // <=== this is csrftoken
...            
    "encryption": {
        "key_id":"...", // <=== ig-set-password-encryption-web-key-id
        "public_key":"...", // <=== ig-set-password-encryption-web-pub-key
        "version":"..." // <=== ig-set-password-encryption-web-key-version
    }
...
</script>
...
  2. Process the data using the algorithm described in signinEncryptData.js.
    The following cryptographic algorithms and libraries are used:
    • AES-GCM-256
    • NaCL crypto_box seal (Curve25519, Salsa20, Poly1305). crypto_box is curve25519xsalsa20poly1305, a particular combination of Curve25519, Salsa20, and Poly1305 specified in "Cryptography in NaCl".
  3. Sing in post request with postData Minimal expected headers for success authorization request. 
    url: "https://www.instagram.com/accounts/login/ajax/", // <=== Sign in API url
headers: {
    "Host": "www.instagram.com",
    "Content-Type": "application/x-www-form-urlencoded",
    "X-CSRFToken": csrftoken, // <=== csrftoken
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
},
body: postData // <=== Data obtained at the second stage.

    Get sessionid from response Set-Cookie sessionid in header. It's your authorized session.

    WARNING Set-Cookie: sessionid is HttpOnly. Read more here.

    Success response:
// Header: 
Set-Cookie: sessionid=...; Domain=.instagram.com; expires=Sat, 10-Jul-2021 13:51:39 GMT; HttpOnly; Max-Age=31536000; Path=/; Secure
// Body:
{
    "user": true,
    "userId": ...,
    "authenticated": true,
    "oneTapPrompt": true,
    "status": "ok"
}

About

#instagram #private #api #signin #reverse #web #encrypt #decrypt #deobfuscate #session #PWD_INSTAGRAM_BROWSER

Resources

Readme
Activity

Stars

18 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages