Vulnerability on Instagram application (Friendship Vulnerability)

Vulnerability on Instagram application (Friendship Vulnerability)
=================================================================

I. VULNERABILITY
————————-
Instagram lack of control on authorization logic allows an user
to add himself as a friend of any user on Instagram social network

II. BACKGROUND
————————-
Instagram is a free photo sharing program launched in October 2010
that allows users to take a photo, apply a digital filter to it, and
then share it on a variety of social networking services, including
Instagram’s own. A distinctive feature confines photos to a square
shape, similar to Kodak Instamatic and Polaroid images, in contrast
to the 4:3 aspect ratio typically used by mobile device cameras.

Instagram was initially supported on iPhone, iPad, and iPod Touch;
in April 2012, the company added support for Android camera phones
running 2.2 (Froyo) or higher. It is distributed via the iTunes App
Store and Google Play.

III. DESCRIPTION
————————-
The mobile application of Android & iPhone is affected by a remote
vulnerability due the lack of control on the logic applied to
authorization feature.

An attacker can perpetrate a brute force attack in the context of
user application and add himself as a friend of all the users on
Instagram, being possible in this way to get access to private
albums and profile information.
Vulnerability

It has detected a lack of control logic used to process the approval process applied to requests for friendship.Allowing an attacker to carry out a brute force attack to be added as a friend to any account of the implementation of Instagram.

Being able to access images taken by users of the application and the information posted on their profile. Also, it was found that this vulnerability also affects users whose album is private, allowing access to photos stored on it.

Exploitation

When accessing a user profile, the request generated by the application server is the following:

GET http://instagram.com/api/v1/users/ USER_ID /info/ HTTP/1.1

Passed as a parameter where the USER_ID distinctive and thereafter are generated calls to the api. In the case of vulnerability, to get to exploit it was decided to generate a legitimate friendship request.

The appearance of the application when this happens is as follows:

The motion to accept the friend request is:

POST http://instagram.com/api/v1/friendships/approve/USER_ID/ HTTP/1.1

On top of the cookie with session information of the user identified in the application, sends the following parameter

signed_body=d3e7a3eda18825318482b0f5866c7bbaba4fe...........%7B%22user_id%22%3A%22USER_ID%22%7D

Just a glance, seems to be some kind of hash generated that validates the friendship request made by the user USER_ID which is also sent in the petition itself.

On the other hand reject the request for friendship, looks like this:

POST http://instagram.com/api/v1/friendships/ignore/182383487/ HTTP/1.1
...
signed_body=d3e7a3eda18825318482b0f5866c7bbaba4fe........%7B%22user_id%22%3A%22USER_ID%22%7D

Only changes the API call is made, using the ignore method instead of Approve.

Given this, the first test conducted was to see if it was possible to obtain list of users and those published data in your profile.

Yielded the following information:

  • status field, I guess with relevant information to the state of the account.
  • An array of user name, which in turn has the following fields: {username – media_count – following_count – profile_pic_url – biography – full_name – follower_count – pk-is_private – external_url} (all quite descriptive by name).

Knowing the possibility of this catalog of users (who happens to be a feature of the API) the next step was to test whether the generated hash to the friend request legitimate, could be used to trick the server and force all users of the application, automatically without your knowledge, were added as followers of our profile.

The output generated was as follows:

Where you can see that our attack vector has been successful, and the request returned by the server is composed of the following parameters:

  • status field, I guess with relevant information to the state of friendship.
  • Friendship_status an array of name, which in turn has the following fields: {incoming_request – followed_by – outgoing_request – Following – blocking – is_private} (all quite descriptive by name).

The results before and after testing:

What could be the scope of this ruling? Just give us a tour of the Hollywood celebrity twitter, celebrities, presidents, government, etc.. Access your profile Instagram, get your user ID and automatically exploit this vulnerability.

Whether your profile private, we get access to your photos. An example of this:

And we are good people and are of good cheer. Let’s congratulate the new acquisition.

IV. POC
————————-
http://imgur.com/aZccK

V. BUSINESS IMPACT
————————-
An attacker can execute a brute force attack in a targeted
user’s account, this can leverage to steal user private pictures.

VI. SYSTEMS AFFECTED
————————-
Instagram

VII. SOLUTION
————————-
Not fixed

VIII. REFERENCES
————————-
http://www.instagram.com
http://blog.seguesec.com
http://twitter.com/0xroot

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s