Instagram “Friendship” Vulnerability Exposed Users’ Private Photos and Profile Information
Spanish researcher Sebastián Guerrero published an advisory on Wednesday, detailing what he called a ‘friendship’ vulnerability in the popular image application, Instagram. The imaging social phenomenon fixed the flaw within hours of his public disclosure.
Instagram started out as an application for iOS, but it was ported over to Android earlier this year. It’s a mini-social network on its own, and gained such popularity that Facebook spent more than $1 billion to acquire it recently.
Guerrero’s public advisory centered on a logic flaw within Instagram with the way the program deals with authorization.
“An attacker can perpetrate a brute force attack in the context of user application and add himself as a friend of all the users on Instagram, being possible in this way to get access to private albums and profile information,” a translated copy of the advisory states.
Facebook already has issues with the FTC over privacy to deal with, so it’s no surprise to learn that Instagram’s developers hammered out a fix rather quickly once the vulnerability was made public.
“We don’t have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher. The technical researcher was not able to follow private users, nor were private users’ data ever at risk,” Instagram’s bug fix notes explain.
Users should have received update notifications once the fix was released.
The translated verson of the advisory can be found below:
=================================================================
Vulnerability on Instagram application (Friendship Vulnerability)
– Original release date:
– Last revised:
– Discovered by: Sebastián Guerrero Selma
– Severity: 5
=================================================================
I. VULNERABILITY
————————-
Instagram lack of control on authorization logic allows an user
to add himself as a friend of any user on Instagram social network
II. BACKGROUND
————————-
Instagram is a free photo sharing program launched in October 2010
that allows users to take a photo, apply a digital filter to it, and
then share it on a variety of social networking services, including
Instagram’s own. A distinctive feature confines photos to a square
shape, similar to Kodak Instamatic and Polaroid images, in contrast
to the 4:3 aspect ratio typically used by mobile device cameras.
Instagram was initially supported on iPhone, iPad, and iPod Touch;
in April 2012, the company added support for Android camera phones
running 2.2 (Froyo) or higher. It is distributed via the iTunes App
Store and Google Play.
III. DESCRIPTION
————————-
The mobile application of Android & iPhone is affected by a remote
vulnerability due the lack of control on the logic applied to
authorization feature.
An attacker can perpetrate a brute force attack in the context of
user application and add himself as a friend of all the users on
Instagram, being possible in this way to get access to private
albums and profile information.
IV. POC
————————-
V. BUSINESS IMPACT
————————-
An attacker can execute a brute force attack in a targeted
user’s account, this can leverage to steal user private pictures.
VI. SYSTEMS AFFECTED
————————-
VII. SOLUTION
————————-
Not fixed
VIII. REFERENCES
————————-
http://www.instagram.com
http://blog.seguesec.com
IX. CREDITS
————————-
This vulnerability has been discovered
by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).
X. REVISION HISTORY
————————-
XI. DISCLOSURE TIMELINE
————————-
July 10, 2012: Discovered by Sebastián Guerrero Selma
July 10, 2012: Vendor contacted including PoC.
XII. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
Sebastián Guerrero Selma accepts no responsibility for any damage
caused by the use or misuse of this information.
