Hello! Looks like there is no any solution for "action": "close","status": "ok" response after submitting code for simple challenge verification on 2FA enabled account?
I have a challenge first code verification and second sms after, but the problem is - I don't have a 2FA login information after first challenge was solved.
I've tried to reset, replay, login with wrong pass, submit second code to first challenge url and to second one, wipe all sessions/devices... no luck
Please paste your debug log here.
My flow:
Login request:
POST https://i.instagram.com/api/v1/accounts/login/
Array
(
[post] => 1
[country_codes] => [{"country_code":"1","source":["default"]}]
[adid] => ********
[guid] => ********
[device_id] => ********
[google_tokens] => []
[login_attempt_count] => 0
[username] => ********
[password] => ********
[queryParams] => {}
[optIntoOneTap] => false
)
Login response:
````
stdClass Object
(
[message] => challenge_required
[challenge] => stdClass Object
(
[url] => https://i.instagram.com/challenge/*/Frp2eQ1NnM/
[api_path] => /challenge/*/Frp2eQ1NnM/
[hide_webview_header] => 1
[lock] => 1
[logout] =>
[native_flow] => 1
)
[status] => fail
[error_type] => checkpoint_challenge_required
)
````
Challenge details request:
GET https://i.instagram.com/api/v1/challenge/********/Frp2eQ1NnM/
Challenge details response:
````
stdClass Object
(
[step_name] => select_verify_method
[step_data] => stdClass Object
(
[choice] => 0
[fb_access_token] => None
[big_blue_token] => None
[google_oauth_token] => true
[phone_number] => *
[email] => *
)
[user_id] => ********
[nonce_code] => Frp2eQ1NnM
[status] => ok
)
````
Challenge verification method request:
POST https://i.instagram.com/api/v1/challenge/********/Frp2eQ1NnM/
Array
(
[choice] => 0
[post] => 1
)
Challenge verification method response:
````
stdClass Object
(
[step_name] => verify_code
[step_data] => stdClass Object
(
[security_code] => None
[sms_resend_delay] => 60
[phone_number_preview] => *
[resend_delay] => 60
[contact_point] => *
[form_type] => phone_number
[phone_number_formatted] => *
[phone_number] => *
)
[user_id] => ********
[nonce_code] => Frp2eQ1NnM
[status] => ok
)
````
First SMS with verification code received at this point:
Use *** *** to verify your Instagram account #ig
Everything looks good so far! I have "That was me" confirmation on my device and I've confirmed it on device.
Verification code request:
POST https://i.instagram.com/api/v1/challenge/652508404/Frp2eQ1NnM/
Array
(
[post] => 1
[security_code] => ******
)
Verification code response:
stdClass Object
(
[action] => close
[status] => ok
)
Second SMS message received at this point:
*** *** is your Instagram code
Well, I'm trying to login one more time. At some point here I have another "This is me" confirmation on my real device and I've confirmed it.
POST https://i.instagram.com/api/v1/accounts/login/
Array
(
[post] => 1
[country_codes] => [{"country_code":"1","source":["default"]}]
[adid] => ******
[guid] => ******
[device_id] => ******
[google_tokens] => []
[login_attempt_count] => 0
[username] => ******
[password] => ******
[queryParams] => {}
[optIntoOneTap] => false
)
Second login response:
````
stdClass Object
(
[message] => challenge_required
[challenge] => stdClass Object
(
[url] => https://i.instagram.com/challenge/*/Frp2eQ1NnM/
[api_path] => /challenge/*/Frp2eQ1NnM/
[hide_webview_header] => 1
[lock] => 1
[logout] =>
[native_flow] => 1
)
[status] => fail
[error_type] => checkpoint_challenge_required
)
````
Looks like the samenonce_code` in this response!
Trying to send second verification code to this challenge url:
POST https://i.instagram.com/challenge/******/Frp2eQ1NnM/
Array
(
[post] => 1
[security_code] => ******
)
And that's it, empty response at this point.
If I don't react on confirmations on my real device - I can get new nonce_code after second login and get another loop of validation requests.
Sorry, Im just using endpoints from this library and all post/get parameters recommended here and I think this is known issue here in this project and I want to solve it.
After the challenge is closed, have you tried to do the requests as you'd normally do?
And btw. using the latest version you can set DEBUG=ig:* and you'll get debug output, but yours does it as well
Even I don't see any sessionid in cookie file I've tried to request /users/*****/info endpoint, but without any positive result. Here is a response:
stdClass Object
(
[message] => login_required
[error_title] => You've Been Logged Out
[error_body] => Please log back in.
[logout_reason] => 2
[status] => fail
)
I can see same issue #993 and I've followed answer from @LexSerest but still don't have a clue. Same reports: #801 #740 #631 #433
@350d I think what you're experiencing is a block on one of the UUIDs that you're using in your requests. I've found that the trick is to deterministically generate those IDs;
This is what im using to generate the UUIDs (in kotlin):
fun generateUUID(seed: String): String {
return UUID.nameUUIDFromBytes(seed.toByteArray()).toString()
}
And for all the uuids the seeds are deterministic. E.g
internal val uuid get() = generateUUID(instanceId)
internal val phoneId get() = generateUUID(instanceId + "_phone")
When the instanceId (string) is constant all the generated IDs are deterministic. Then if you get into the challenge loop, you can change your instanceId and try again.
I'm also faced up beside this problem, but in mgp25 instagram bundle for php.
Using reverse engineered app I can even reproduce this behaviour at BURP application, but I can't understand why thing which is working in instagram app, not working in mgp25 though I'm sending same headers, params and cookies.
Ok, so finally I found what was a reason of endless loop in mgp25. Maybe it would help you too, guys.
We had an outdated constants
const IG_VERSION = '107.0.0.27.121';
const VERSION_CODE = '168361634';
I changed their values to:
const IG_VERSION = '128.0.0.26.128';
const VERSION_CODE = '197825254';
And no endless challenge loop anymore!
So maybe it would help someone.
@kazmerchuk , this makes absolutelly no sense
this behavior is present in instagram since 70.xxxxx for what i've tested.
as correctly stated by @350d on the official instagram app this flow goes through the internal browser
i'm using the apks found on https://github.com/itsMoji/Instagram_SSL_Pinning in order to sniff the requests but those apks are not able to bypass the ssl pining for the browser... so after the challenge response the app just freezes.... until i turn off the proxy then the apps goes straight away to the 2fa and the following post login requests
the big challenge to solve this problem is
IS ANYONE ABLE TO MONITORE THE REQUESTS MADE BY THE INSTAGRAM INTERNAL BROWSER?
if so can you please... share at any pastebin page the complete request/response flow of log in an account with 2FA ENABLE from a new device + new ip (which will lead to identity verification)
thanks
@bolds07 Ok, maybe it has no sense but it works for me (not always as I found later) with some another changes in code of course.
You don't need to use apk with disabled ssl pinning, facebook currently allows to switch off it in app settings without any problems, have a look here - https://www.facebook.com/whitehat/researcher-settings/help/
Maybe you will find a solution for this problem which would works always
You don't need to use apk with disabled ssl pinning, facebook currently allows to switch off it in app settings without any problems, have a look here - https://www.facebook.com/whitehat/researcher-settings/help/
how long after enabling it on the browser the option apeared to you in the instagram app?
i did the first step on the browser but still dont see the setting 'internal'
@bolds07 actually you need to have at least one instagram account connected to facebook, and if you will enable this setting at facebook and log in in instagram app using this account credentials, you will see this option in settings. Hope you can search how to connect ig account to facebook by yourself :)
Well, I completed the process and was able to activate the settings as shown in the linked page, but i think it wont help for solving this problem anyway....
in order to "disable the ssl pinning" i must connect to instagram in my account and enable a switch...
if i clear instagram data, uninstall or try to login another account the switch is disabled automaticly
the point is once you i have successfully connected to instagram it will no loger present me the verify_identity challenge so it will be impossible to replicate the situation described in the beggning of this topic....
still need to find a way to disable the ssl pinning from inner browser like i told before
anyone made any progress in this issue?
I've done some blind tests (since i cant intercept real instagram inner browser requests) and i discovered one small detail.
that is how im doing
1- i try to login through the api,
2- i get the challenge required response
3- i copy all the cookies and the User-Agent data from the api to a chrome session (normal chrome browser)
4- i load the challenge url in chrome
when using a browser to handle the identity_verification challenge, at the end of it (if you submitted the right challenge code) instagram will answer a new http cookie.
ig_did=2575F1B9-A023-48ED-95D5-0AA563C50A33
i never saw the id_did cookie before, dont know exaclty what to do with it
also at the end of verification chrome is redirected to "instagram://dismiss_dialog" so the next request will be handled by the normal api not browser
{"action": "close","status": "ok"}
We solved this issue a year ago like that. You should handle all little bit different.

As you can see the solution is call login twice right after challenge is completed. Second login with the same session (User Agent and IP).
This scheme works for me in 2020鈥檚.
@sergeykomlev You mean I need to store cookies before every api call and roll them back if I get action:close or its ok to call login one more time with updated cookies after? I guess I've tried to call login again before without any success.
@sergeykomlev You mean I need to store cookies before every api call and roll them back if I get
action:closeor its ok to call login one more time with updated cookies after? I guess I've tried to call login again before without any success.
When 2FA enabled and you don鈥檛 have valid session, it鈥檚 important to call login again with the same device parameters and IP. On second retry you will not see challenge and you will see 2FA.
Challenge happened only for new unknown for your account devices and IPs.
@sergeykomlev i guess me and everybody who had this problem has as first thought to simple force call login again... and it doesn't work as is...
so if what you say is true and you can login it must be because of any cookie related stuff...
this is what i do (and i guess @350d has the very same situation)
1- first time trying to connect
2- create device fingerprint
3- try to login -> challenge_required
4- solve challenge -> action_close
5- force call login -> challenge_required
... after that it stays in loop forever
note that the device fingerprint (cookies, device_id phone_id user_agent) is kept during all process...
i've tried play around with cookies like flusing, erasing crsftoken and stuff like that but no success
so if you can explain what exaclty you mean by
call login again with session you saved in database
you flush all cookies and crsftoken acquired during the login process?
I'm working with different API, PHP based, but in JS all should be look-a-like.
I remembered what was going on. I looked at this API implementation and what I can say.
After you successfully called sendSecurityCode() with correct code you should check is response valid equal to standard login response.
{"action": "close","status": "ok"} - is incorrect response.
If login response is incorrect, you should call login again with the same fingerprint (cookies, device_id phone_id user_agent) and IP that you can catch 2FA.
@350d, I took a look again at IG app's requests and to PHP API. I think some parameters in POST your requests missed.
Login:
Send the choice to get the verification code in case of challenge:
Finish a challenge login:
Request a new security code SMS for a Two Factor login account:
Finish a two-factor authenticated login:
I'm working with different API, PHP based, but in JS all should be look-a-like.
I remembered what was going on. I looked at this API implementation and what I can say.
After you successfully called
sendSecurityCode()with correct code you should check is response valid equal to standard login response.
{"action": "close","status": "ok"}- is incorrect response.If login response is incorrect, you should call login again with the same fingerprint (cookies, device_id phone_id user_agent) and IP that you can catch 2FA.
it is exaclty what i am doing and is not successfull, can you post a debug log of a real flow solving this issue with your php api? i guess it would enough to everybody to understand how to solve the problem.
I also doesnt work in JS. im working with android api i built myself based on mgp25 php one....
i dont think the parameters are the problem here, in case you send a request with wrong parameters instagram will reply http 400 or 502 [depending on the endpoint]
@bolds07 contact with me in Telegram, my nickname is similar, PHP repository have DMCA on GitHub, I can鈥檛 post code here. I will send you actual requests.
i dont have a telegram...
created one just now to try talk to you but it says "you cant send messages to non mutual contacts" [or something] you can try reach me by +60198665604 telegram
[email protected] my email if you prefer
@bolds07 hello. I has change my IG_VERSION and VERSION_CODE to
IG_VERSION = '128.0.0.26.128'; VERSION_CODE = '197825254';, and algorithm (login -> verify -> login), for my account with the same issue, started working. Do you was try change constants ?
P.S. sorry for bad english.
i few updated on this issue....
ive been doing LOTS OF TESTS on it
my code is based on instagram version 100
i played around the instagram versions and i was able to sniff instagram 72 inner browser requests.
this is the log
https://pastebin.com/pCKAUs8d
as you can even the official instagram app runs into loop when "action: close" happens
so it might really be a bug in instagram server and it really might be related to the version.
im super tired of this issue am im out of time to dig into it, so if annyone have extra info just let me know...
im avoiding update the version of my api for personal reasons
Same problem here then getting action close I am running login again and get the IgCheckpointError and it loops.
Found out that disabeling 2fa helps with this problem but i never get IgLoginTwoFactorRequiredError it is always IgCheckpointError
@sergeykomlev Btw your scheme was helpful thanks!
@Ektaros Disabling 2fa helped me as well. Hopefully we will be able to find some solution as disabling 2fa is not a good idea.
@bolds07 hello. I has change my IG_VERSION and VERSION_CODE to
IG_VERSION = '128.0.0.26.128'; VERSION_CODE = '197825254';, and algorithm (login -> verify -> login), for my account with the same issue, started working. Do you was try change constants ?
P.S. sorry for bad english.
Today I detected that our solution also not working anymore. But these simple changes helps. Thanks!
got the solution...
for those who are interested here is the code
https://pastebin.com/FvUdEF2e
@bolds07 Thank you for your logs. Can you please point us to exact clue you've discovered?
@350d take a look at request after line 729.
Challenge finished.
{"action": "close","status": "ok"}
Then:
Look like it鈥檚 a pre login flow.
After that login again:
@sergeykomlev It works! but but in ~50% cases so far.
this issue was resolved in the paid version of this library.
you can contact with me in telegram @bowzee for purchasing
@350d, why you reopened this issue?
@sergeykomlev To allow you to comment (if any) for new details about success rate. In my case I have a success about 50% cases but from second attempt all session now fine. Time to close it I guess.
@sergeykomlev To allow you to comment (if any) for new details about success rate. In my case I have a success about 50% cases but from second attempt all session now fine. Time to close it I guess.
What error do you see at first attempt?
@sergeykomlev same thing, "action=close"
@sergeykomlev same thing, "action=close"
You send second login flow with delay or without?
Delay, few second, depends on user, I'm asking to login again in this case and it takes minimum 5-10 seconds to inform user about this situation.
it stoped working to me...
if anyone has made any progress please share
it stoped working to me...
if anyone has made any progress please share
I reversed the last version of instagram an the login works nice and i can follow new users. I mean i build the library just for that case loging and following people to grow my instagram account.
But i can try to implement 2FA, if someone has idea on the V133 app, make a pull request
I reversed the last version of instagram an the login works nice and i can follow new users. I mean i build the library just for that case loging and following people to grow my instagram account.
But i can try to implement 2FA, if someone has idea on the V133 app, make a pull request
Sounds like "I copied mgp's library". (At least some sections are pretty similar)
But this isn't really related. Your library doesn't even have the challenge functions, so you can't experience this issue.
Facing same issue with 2fa and without 2fa.
I reversed the last version of instagram an the login works nice and i can follow new users. I mean i build the library just for that case loging and following people to grow my instagram account.
But i can try to implement 2FA, if someone has idea on the V133 app, make a pull request
the guy completely copied mgp library and post on github and is asking for donations...
how can we report this to github or at least to instagram so they can shut his reposotory down
I reversed the last version of instagram an the login works nice and i can follow new users. I mean i build the library just for that case loging and following people to grow my instagram account.
But i can try to implement 2FA, if someone has idea on the V133 app, make a pull requestthe guy completely copied mgp library and post on github and is asking for donations...
how can we report this to github or at least to instagram so they can shut his reposotory down
Try to inspect my library and try to compare with the mgp's.
I reversed it, and build my own library. Mgp is almost everywhere using just clean params and my project is using almost everywhere signed bodys. I would never post other projects
馃
@socialAPIS Hi! you really backed latest client - can you please message me via telegram or email me
Thanks!
@socialAPIS, I checked your library. I didn't see a code for 2FA handling after login, yes you have a code to send 2FA code & login, but how you catch 2FA after challenge response {"action": "close","status": "ok"}.
If 2FA enabled and you will try to call login after challenge response {"action": "close","status": "ok"}, you will be forced to new verification challenge (aka challenge loop).
I think the problem not related to request headers because I have absolutely similar to yours.
The problem happened because of something different.
Try to inspect my library and try to compare with the mgp's.
You copied the license from his repo (and then removed it). It mentioened the premium subscription. You only changed the url to yours. However, this is only about your "shell", but imo you could at least give him credit.
Just to add some new thoughts
There is another situation that causes instagram to return "action: close".
1- Start a fresh new login with the api... you will be directed to challenge flow.
2- select challenge method
3- on a real phone with a previous session of the same account, open instagram. you will receive a popup saying "_be careful there is a bad hacker trying to destroy your account_" (or some bullshit instagram writes to scare users). press "**WAS ME**"
4-back to api login solve challenge normally. you will receive "action: close".
5-force re-login you will receive the very same challenge code and answer.
IG changed the 2FA process. It's working now again.
Try to inspect my library and try to compare with the mgp's.
You _copied_ the license from his repo (and then removed it). It mentioened the premium subscription. You only changed the url to yours. However, this is only about your "shell", but imo you could at least give him credit.
English is not my mother language, and when i need to create ReadME, im bad at that point... Then i scrape the internet find some ones that i like and edit them. But the Client is writen from me.
@socialAPIS, I checked your library. I didn't see a code for 2FA handling after login, yes you have a code to send 2FA code & login, but how you catch 2FA after challenge response {"action": "close","status": "ok"}.
If 2FA enabled and you will try to call login after challenge response {"action": "close","status": "ok"}, you will be forced to new verification challenge (aka challenge loop).
I think the problem not related to request headers because I have absolutely similar to yours.
The problem happened because of something different.
When you run in CLI it ask you automatically to enter the code
Most helpful comment
@350d take a look at request after line 729.
Challenge finished.
{"action": "close","status": "ok"}
Then:
Look like it鈥檚 a pre login flow.
After that login again: