Arne Swinnen says that he discovered two distinct vulnerabilities which could – when combined with the site’s weak password policies, and a lack of two-factor authentication and other mitigating security controls – have allowed an attacker to break into accounts, including those belonging to high profile celebrities.
If high profile accounts had been hacked, they could have been exploited to send spam messages and malicious links to millions of followers, and potentially opened opportunities for embarrassing initimate photo leaks like those seen during 2014’s notorious Celebgate.
The first flaw existed in Instagram’s Android app, which correctly blocked incorrect password guesses after 1000 attempts from the same IP address but then (bizarrely) allowed them on every other attempt after the 2000th.
“This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received. The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt.”
Swinnen noted that the site also failed to identify that the same IP address was being used in the repeated attempts to crack the password, missing opportunities to alert that an account might be being attacked or lock it as a precautionary measure.
Additionally, the researcher uncovered a security problem with Instagram’s website – specifically how it related to user registration.
Again, Instagram did not have sufficient protection mechanisms in place – such as rate-limiting or account lockout – to prevent brute force attacks from succeeding.
Instagram was reported to have started rolling out two-step verification to better protect accounts from hackers in February, but it is thought that the system has not yet gone worldwide. That’s a shame, as it would certainly help make life much more difficult for account hackers.
Facebook, who run Instagram, has responded to Swinnen’s vulnerability reports by strengthening rate-limiting on the Instagram website.
In addition, Instagram’s password policy has been slightly hardened, and particularly dumb, easy-to-predict passwords like “123456” and “password” outlawed.
This isn’t the first time that Swinnen has uncovered serious security holes in Facebook-owned Instagram.
In March, for instance, Facebook patched a serious vulnerability in Instagram which could have allowed malicious attackers to seize control of up to 20 million locked accounts.
Swinnen uncovered that exploitation of the security flaw, combined with weak password policies being used by Instagram, could potentially allow attackers to hijack four percent of the photo-sharing site’s 500 million accounts.
Swinnen was awarded US $5,000 for his discovery which was disclosed responsibly to Facebook as part of its bug bounty program.
Swinnen’s stumbled across the vulnerabilities after he was received a verification request from Instagram when attempting to log into a test account.
The researcher discovered that the verification link contained an incremental numeric user ID in its URL – something with which seasoned vulnerability researchers find it hard to resist meddling.
As Swinnen changed the numeric user ID in the URL using a simple script, he was sometimes greeted with verification pages that did not offer to send a verification code to the user’s email address, but occasionally asked for another interaction from the user.
Swinnen enumerated the user ID with interesting results – sometimes exposing a security vulnerability.
In 0.17% of cases during his testing, Swinnen was asked to update the email addresses of temporarily locked accounts.
Once an account was given a new email address, a password reset could then be performed giving an unauthorised party complete access to the account.
In 3.88% of cases, the verification page would request that a phone number be entered – to which Instagram would send a security code. Again, opening clear opportunities for hackers to commandeer accounts. Worse still, the form also broke privacy by displaying account owner’s current mobile phone number.
“This case was the most troublesome, as an attacker could on one hand gather sensitive user information (pre-filled phone number in some cases), and on the other hand simply update the phone number linked to the victim Instagram account.”
“After successfully linking a new phone number, an attacker could perform the “reset password via SMS” scenario and gain complete access to the account. Big security impact, and almost 4% of all accounts affected in the one million range. A quick manual verification also learned that these were mostly human accounts which had been inactive for a couple of weeks, of which many had a good amount of followers on Instagram.”
With so much success finding flaws in Instagram, you have to wonder when the photo-sharing social network will offer Swinnen a full-time job.