Security Experts:

Instagram Patches Privacy Vulnerability That Exposed Private Photos

Instagram "Friendship" Vulnerability Exposed Users' Private Photos and Profile Information

Spanish researcher Sebastián Guerrero published an advisory on Wednesday, detailing what he called a ‘friendship’ vulnerability in the popular image application, Instagram. The imaging social phenomenon fixed the flaw within hours of his public disclosure.

Instagram Security FlawInstagram started out as an application for iOS, but it was ported over to Android earlier this year. It’s a mini-social network on its own, and gained such popularity that Facebook spent more than $1 billion to acquire it recently.

Guerrero’s public advisory centered on a logic flaw within Instagram with the way the program deals with authorization.

“An attacker can perpetrate a brute force attack in the context of user application and add himself as a friend of all the users on Instagram, being possible in this way to get access to private albums and profile information,” a translated copy of the advisory states.

Facebook already has issues with the FTC over privacy to deal with, so it’s no surprise to learn that Instagram’s developers hammered out a fix rather quickly once the vulnerability was made public.

“We don't have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher. The technical researcher was not able to follow private users, nor were private users' data ever at risk,” Instagram’s bug fix notes explain.

Users should have received update notifications once the fix was released.

The translated verson of the advisory can be found below:

 

=================================================================

Vulnerability on Instagram application (Friendship Vulnerability)

- Original release date: 

- Last revised: 

- Discovered by: Sebastián Guerrero Selma

- Severity: 5

=================================================================

 

I. VULNERABILITY

-------------------------

Instagram lack of control on authorization logic allows an user

to add himself as a friend of any user on Instagram social network

 

II. BACKGROUND

-------------------------

Instagram is a free photo sharing program launched in October 2010 

that allows users to take a photo, apply a digital filter to it, and

then share it on a variety of social networking services, including 

Instagram's own. A distinctive feature confines photos to a square 

shape, similar to Kodak Instamatic and Polaroid images, in contrast 

to the 4:3 aspect ratio typically used by mobile device cameras.

 

Instagram was initially supported on iPhone, iPad, and iPod Touch; 

in April 2012, the company added support for Android camera phones 

running 2.2 (Froyo) or higher. It is distributed via the iTunes App 

Store and Google Play.

 

III. DESCRIPTION

-------------------------

The mobile application of Android & iPhone is affected by a remote

vulnerability due the lack of control on the logic applied to

authorization feature.

 

An attacker can perpetrate a brute force attack in the context of

user application and add himself as a friend of all the users on

Instagram, being possible in this way to get access to private 

albums and profile information.

 

IV. POC

-------------------------

http://imgur.com/aZccK

 

V. BUSINESS IMPACT

-------------------------

An attacker can execute a brute force attack in a targeted

user's account, this can leverage to steal user private pictures.

 

VI. SYSTEMS AFFECTED

-------------------------

Instagram

 

VII. SOLUTION

-------------------------

Not fixed

 

VIII. REFERENCES

-------------------------

http://www.instagram.com

http://blog.seguesec.com

http://twitter.com/0xroot

 

IX. CREDITS

-------------------------

This vulnerability has been discovered

by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).

 

X. REVISION HISTORY

-------------------------

 

XI. DISCLOSURE TIMELINE

-------------------------

July    10, 2012: Discovered by Sebastián Guerrero Selma

July    10, 2012: Vendor contacted including PoC.

 

XII. LEGAL NOTICES

-------------------------

The information contained within this advisory is supplied "as-is"

with no warranties or guarantees of fitness of use or otherwise.

Sebastián Guerrero Selma accepts no responsibility for any damage

caused by the use or misuse of this information.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.