10 Interesting Vulnerabilities in Instagram Arne Swinnen

8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen

1/196

THE TALES OF A BUG BOUNTY HUNTER:

10 INTERESTING VULNERABILITIES IN

INSTAGRAM

ARNE SWINNEN

@ARNESWINNEN

HTTPS://WWW.ARNESWINNEN.NET


2/196

• Arne Swinnen from Belgium, 26 years old• IT Security Consultant since 2012• Companies I have directly worked for:

WHOAMI

2

Currently Past

One packer to rule them all Cyber Security Challenge

Belgium


3/196

AGENDA

• Introduction

• Setup

• Man-in-the-Middle

• Signature Key Phishing

• APK Decompilation

• Vulnerabilities

• Infrastructure: 2

• Web: 2

• Hybrid: 4• Mobile: 2

• Conclusion

• Q&A

3


4/196

INTRO

4


5/196

INTRODUCTION

5

Motivation

• Intention since 2012• CTF-like, with rewards• Write-ups

Timing

• Since April 2015• Time spent: +-6 weeks• Vacations sacrificed


6/196

INTRODUCTION

• “Facebook for Mobile Pictures”: iOS & Android Apps, Web

• 400+ Million Monthly Active Users in September 2015

• Included in Facebook’s Bug Bounty Program

6


7/196

INTRODUCTION

7

Private account Public account


8/196

SETUP

8


9/196


10/196


11/196

MAN-IN-THE-MIDDLE

• Attempt 1: Android Wifi Proxy Settings

11


12/196

MAN-IN-THE-MIDDLE

• Attempt 1: Android Wifi Proxy Settings (ctd.)

Instagram v6.18.0

25/03/2015 12


13/196

MAN-IN-THE-MIDDLE

• Attempt 1: Android Wifi Proxy Settings (ctd.)

Instagram v6.18.0

25/03/2015 13


14/196

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point

Personal Android device

USB Tethering ONPersonal Macbook Pro

Internet Sharing via WiFi ONAndroid Test Device

Connected to Ad-hoc Network 14


15/196

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point (ctd.)


16/196

MAN-IN-THE-MIDDLE


Instagram v6.18.0

25/03/2015 16


17/196

MAN-IN-THE-MIDDLE


Instagram v6.18.0

25/03/2015 17


18/196

MAN-IN-THE-MIDDLE


Instagram v7.10.0

05/11/2015 18


19/196

MAN-IN-THE-MIDDLE


Instagram v7.10.0

05/11/2015 19


20/196

MAN-IN-THE-MIDDLE

• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning

20


21/196

MAN-IN-THE-MIDDLE

• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning

21


22/196

MAN-IN-THE-MIDDLE

• Attempt 4: Ad-hoc WiFi AP & Smali Bypass

22


23/196

MAN-IN-THE-MIDDLE

• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)

23


24/196

MAN-IN-THE-MIDDLE

• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)

24


25/196

SIGNATURE KEY PHISHING

25


26/196

signed_body=0df7827209d895b1478a35a1882a9e1c87d3ba114cf8b1f603494b08b5d093b1.{"_csrftoken":"423d22c063a801f468f21d449ed8a103","username":"abc","guid":"b0644495-5663-4917-b889-156f95b7f610","device_id":"android-f86311b4vsa5j7d2","password":"abc",

"login_attempt_count":"11"}


26

HMACSHA256


27/196

signed_body=0df7827209d895b1478a35a1882a9e1c87d3ba114cf8b1f603494b08b5d093b1.{"_csrftoken":"423d22c063a801f468f21d449ed8a103","username":"abc","guid":"b0644495-5663-4917-b889-156f95b7f610","device_id":"android-f86311b4vsa5j7d2","password":"abc",

"login_attempt_count":"11"}


27

HMACSHA256


28/196


28


29/196


HMACSHA256

Key

29


30/196


30


31/196


c1c7d84501d2f0df05c378f5efb9120909ecfb39dff5494aa361ec0deadb509a

Source: http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/

31

http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/


32/196


32


33/196


33


34/196


34


35/196


35


36/196


36


37/196


37


38/196

APK DECOMPILATION

1. Decompile APK to java source code (d2j-dex2jar & jd-cli)

?

38


39/196

APK DECOMPILATION


2. Identify endpoints & compare APK versions programmatically

grep -roE \'"[^":\. ]+/[^":\. ]*"\‘

39


40/196

APK DECOMPILATION



40


41/196

APK DECOMPILATION



3. Test old (legacy code) & monitor new endpoints (fresh code)

41


42/196

VULNERABILITIES

42


43/196

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

43

# python subbrute.py instagram.com


44/196

INFRASTRUCTURE


44

# python subbrute.py instagram.cominstagram.comwww.instagram.com

blog.instagram.comi.instagram.comadmin.instagram.commail.instagram.comsupport.instagram.comhelp.instagram.com

platform.instagram.comapi.instagram.combusiness.instagram.combp.instagram.comgraphite.instagram.com...


45/196

INFRASTRUCTURE


45


46/196


47/196

INFRASTRUCTURE


47


48/196

INFRASTRUCTURE


48

How to exploit?


49/196

INFRASTRUCTURE


a) Claim 10.* IP on local network & start local webserver ofhttp://graphite.instagram.com

b) Lure victim into browsing to http://graphite.instagram.com

and serve login page of https://www.instagram.com

c) Hope that the victim provides credentials

49

http://graphite.instagram.com/http://graphite.instagram.com/https://www.instagram.com/https://www.instagram.com/http://graphite.instagram.com/http://graphite.instagram.com/


50/196

INFRASTRUCTURE


50

Local networkaccess

SocialEngineering


51/196

INFRASTRUCTURE


51

Local networkaccess

SocialEngineering


52/196

INFRASTRUCTURE


52

Domain=instagram.com httponly


53/196

INFRASTRUCTURE


53


54/196

INFRASTRUCTURE


a) Claim 10.* IP on local network & start local webserver ofhttp://graphite.instagram.com

b) Lure victim into browsing to http://graphite.instagram.com

while being authenticated to https://www.instagram.comc) Copy session cookie & hijack session

54

http://graphite.instagram.com/http://graphite.instagram.com/https://www.instagram.com/https://www.instagram.com/http://graphite.instagram.com/http://graphite.instagram.com/


55/196

INFRASTRUCTURE


55

Local networkaccess

SocialEngineering


56/196

INFRASTRUCTURE


56

Thank you for your reply. This issue has been discussed at great lengths with theFacebook Security Team and while this behavior may be changed at some pointin the future, it is not eligible for the bug bounty program. Although this issue

does not qualify we appreciate your report and will follow up with you on anysecurity bugs or with any further questions we may have.

Thanks and good luck with future bug hunting!


57/196

INFRASTRUCTURE


57

Thank you for your reply. This issue has been discussed at great lengths with theFacebook Security Team and while this behavior may be changed at some pointin the future, it is not eligible for the bug bounty program. Although this issue

does not qualify we appreciate your report and will follow up with you on anysecurity bugs or with any further questions we may have.

Thanks and good luck with future bug hunting!


58/196

INFRASTRUCTURE


58


59/196

INFRASTRUCTURE

59Source: https://exfiltrated.com/research-Instagram-RCE.php


60/196

INFRASTRUCTURE

60Source: https://exfiltrated.com/research-Instagram-RCE.php


61/196

INFRASTRUCTURE

61$2500

Source: https://exfiltrated.com/research-Instagram-RCE.php


62/196

INFRASTRUCTURE


62


63/196

INFRASTRUCTURE


63

Subdomainsresolve tolocal IPs 10.*

Sessioncookiescoped to allsubdomains


64/196

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

64


65/196

INFRASTRUCTURE


65


66/196

INFRASTRUCTURE


66


67/196

INFRASTRUCTURE


67


68/196

INFRASTRUCTURE


a) Outdated Proofpoint Protection Server (7.1 < 7.5)

b) Brute-force possible against exposed login screens

68


69/196

INFRASTRUCTURE




69

Thank you for your patience here. After discussions with the product team andthe security team, we have determined that this report does not pose asignificant risk to user security and/or privacy. As such, this report is not eligiblefor our bug bounty program.


70/196

INFRASTRUCTURE




70

Thank you for your patience here. After discussions with the product team andthe security team, we have determined that this report does not pose asignificant risk to user security and/or privacy. As such, this report is not eligiblefor our bug bounty program.


71/196

INFRASTRUCTURE


71


72/196

INFRASTRUCTURE


72


73/196

WEB

3. Public Profile Tabnabbing

73


74/196

WEB


74


75/196

WEB


75


76/196

WEB


76

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/

We have previously been made aware of this issue and are in the process of investigating it. Thank you for submitting it to us. Please send along anyadditional security issues you encounter.

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/


77/196

WEB


77

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/

We have previously been made aware of this issue and are in the process of investigating it. Thank you for submitting it to us. Please send along anyadditional security issues you encounter.

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/


78/196

WEB


78


79/196

WEB


79


80/196

WEB

4. Web Server Directory Enumeration

80https://instagram.com


81/196

WEB


81https://instagram.com/?hl=en


82/196

WEB


82https://instagram.com/?hl=./en


83/196

WEB


83


84/196

WEB


84


85/196

WEB


85https://instagram.com/?hl=../locale/en


86/196

WEB


86https://instagram.com/?hl=../LOCALE/EN


87/196

WEB


87https://instagram.com/?hl=../wrong/en


88/196

WEB


88


89/196

WEB


89

42 hits for..//../locale/nl/


90/196

WEB


90

Thank you for sharing this information with us. Although this issue does notqualify as a part of our bounty program we appreciate your report. We willfollow up with you on any security bugs or with any further questions we may

have.


91/196

WEB


91

Thank you for sharing this information with us. Although this issue does notqualify as a part of our bounty program we appreciate your report. We willfollow up with you on any security bugs or with any further questions we may

have.


92/196

WEB


92

My apologies on my previous reply, it was intended for another report.…

After reviewing the issue you have reported, we have decided to award you a

bounty of $500 USD.


93/196

WEB


93

My apologies on my previous reply, it was intended for another report.…

After reviewing the issue you have reported, we have decided to award you a

bounty of $500 USD.

Application


94/196

WEB


94

There is one thing I'd like to add here. I have not tested this attack for obvious

reasons, but wouldn't the following request have resulted in a Denial of Serviceattack?:

https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/random%00https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/urandom%00

31/08/2015

ppDDOS


95/196

WEB


95

Have you already found some time to consider my last response?

18/10/2015


96/196

WEB


96

Thanks for being patient. When we considered the initial report, we had alreadyaccounted for the possibility of reading files such as /dev/random and/dev/urandom, and the reward is still $500. The act of reading those files doesnot significantly affect our infra-structure too much as we have systems in placeto deal with unresponsive servers.

29/12/2015


97/196

WEB


97

Thanks for being patient. When we considered the initial report, we had alreadyaccounted for the possibility of reading files such as /dev/random and/dev/urandom, and the reward is still $500. The act of reading those files doesnot significantly affect our infra-structure too much as we have systems in placeto deal with unresponsive servers.

29/12/2015


98/196

WEB


98


99/196

WEB


99


100/196

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

100

{"status": "ok","media": {

"organic_tracking_token":"eyJ2ZXJzaW9uIjozLCJwYXlsb2FkIjp7ImlzX2FuYWx5dGljc190cmFja2VkIjpmYWxzZSwidXVpZCI6IjYxNGMwYzk1MDRlNDRkMWU4YmI3ODlhZTY3MzUxZjNlIn0sInNpZ25hdHVyZSI6IiJ9",

"client_cache_key": "MTExODI1MTg5MjE1NDQ4MTc3MQ==.2","code": "-E1CvRRrxr",(...SNIP...)"media_type": 1,

"pk": 1118251892154481771,"original_width": 1080,"has_liked": false,"id": "1118251892154481771_2036044526"

},"upload_id": "1447526029474"

}


101/196

WEB + MOBILE


101

Privateaccount


102/196

WEB + MOBILE


102

Privateaccount


103/196

WEB + MOBILE


103

Privateaccount


104/196

WEB + MOBILE


104

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1Host: i.instagram.com

HTTP/1.1 200 OK(…SNIP…)

{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}


105/196

WEB + MOBILE


105

Privateaccount


106/196

WEB + MOBILE


106

@Kevin

Pk: 3

@MikeyK

Pk: 4

@BritneySpears

Pk: 12246775

@msvigdis

Pk: 12246776

1pJ1DhgBD- 159sxaABXG 16jJhVG8HU iV93JDG8Ue

1kHzf_gBLp 1onIDogBf3 1yFoqcm8D9 XMUVDFm8X80-pshJgBAg 0yi-hjgBaE 1tejnLm8Co VuWAQam8Xv

09pY_OgBPX 0k_oZWABSU 1r59lSm8GX Vj81GHm8W9

0l1GTXABDo 0gboKEgBYr 1qrMPRG8AB UEoTBAG8Sy

0k_apGABDm 0UDrVFgBVJ 1ghW7RG8B2 TfpmTGm8QP

0f5P_6ABOe z-maEDgBWK 1T3KHhm8N2 TWbKzfm8f-

0GEiJKABAC z5HB2BgBbj 1Q2H_WG8LX TVOOKEm8To

0BuHO9ABOx zxeRSGgBaL 1OywdMm8Lf TThPzXm8cm

z-9x5aABEq zSqgd5ABco 1H2JvGG8DL TS3Swlm8dZ

z8QVuXABD6 zQ6VkUABdH 08dtcTG8Hb TOtd3tm8Ve

z4vsirABO4 zJDzvRgBbR 00exOYm8Br TOfRfAm8aZ

z2KV0OgBIE zBrTlsABXv 0yXTU6m8MN TJikVLm8W9


107/196

WEB + MOBILE


107


108/196

WEB + MOBILE


108

Private victimaccount

(monitored by attacker)

Public attacker account

(generated right aftermonitor hit)

1yCwjTJRnk 1yCwodpTlC

1yC05mJRnq 1yC0_ApTlL

1yC5PqpRnu 1yC5UopTlX

1yC9nTJRnw 1yC9repTlk

1yDGULpRn9 1yDGaDpTl1

1yDKrvpRoB 1yDKvtJTl8

1yDPCCpRoI 1yDPHVpTl_

1yDTZGpRoO 1yDTdvpTmH

1yDXxRpRoW 1yDX1fJTmP

1yDgdBpRol 1yDgj6JTmb

1yDk1qpRop 1yDk6ypTme1yD6mjpRpT 1yD6sCpTnL

1yEDSqpRpn 1yEDXYJTnU

1yEHpNJRpt 1yEHuTpTnc

1yEQWTpRqD 1yEQb3pTnw

1yEUtCJRqL 1yEUyJJTn5

1yEZEKJRqU 1yEZI3pToI

1yEdaxpRqe 1yEdfEpToO


109/196

WEB + MOBILE


• These tokens represent identifiers based on the followingalphabet: A-Za-z0-9_- (64 characters in total)

• The first 6 characters are global, incremental identifiers• The 7th character only differs between 2 possibilities and is based

on the “Pk” of each user

• The 8th character is constant per user and is also based on the“Pk” of each user

• The 9th and 10th character are user-specific incrementalidentifiers with the same alphabet as the global identifier (seeabove)

109


110/196

WEB + MOBILE


• These tokens represent identifiers based on the followingalphabet: A-Za-z0-9_- (64 characters in total)

• The first 6 characters are global, incremental identifiers• The 7th character only differs between 2 possibilities and is based

on the “Pk” of each user


• The 9th and 10th character are user-specific incrementalidentifiers with the same alphabet as the global identifier (seeabove)

110


111/196

WEB + MOBILE


Entropy: 64^6 = 68.719.476.736 possibilities

• The 7th character only differs between 2 possibilities and isbased on the “Pk” of each user


Final entropy: 2 * 64^4 = 33.554.432 possibilities

Feasible!

111


112/196

WEB + MOBILE


112

After reviewing the issue you have reported, we have decided to award you abounty of $1000 USD.


113/196

WEB + MOBILE


113


114/196

WEB + MOBILE


114


115/196

WEB + MOBILE

6. Private Account Shared Pictures CSRF

115

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1Host: i.instagram.comUser-Agent: Instagram 7.10.0 Android (19/4.4.4; 320dpi; 768x1184; LGE/google;Nexus 4; mako; mako; en_US)

Cookie:sessionid=IGSC0098a4bee11b593953fd4a3fe0695560f407a103d8eef9f5be083ff21e186673:PEVejQeSkS2p8WYxAEgtyUWdXz9STvKM:{"_token_ver":1,"_auth_user_id":2036044526,"_token":"2036044526:7DcRpg1d0ve5T0NkbToN5yVleZUh0Ifh:571e05df8ecd8de2efc47dca5f222720233234f6f0511fb20e0ad42c1302ea27","_auth_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last_refreshed":1447525940.04528,"_platform":1}




116/196

WEB + MOBILE


116

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1Host: i.instagram.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Cookie:sessionid=IGSCffa96a73743adba6c93194ae05041159e0cf6ede2627ae3735c3aa9079cfe853:EasK95PNVAy5CUCA8RnhXrFsCy6I6S5R:{"_token_ver":1,"_auth_user_id":2036044526,"_token":"2036044526:QTKFc7soS0BHa61aqjAmoqLQ3B3hDkLd:d567a7909eb6db0bc766c5f1f168ae2c5e3086aae93c67273cda175933d96162","_auth_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last

_refreshed":1447628626.205864,"_platform":4}




117/196


118/196

WEB + MOBILE


118

a) Find Private Account pictures image_id

b) Find permalink of Shared Private Account picture

CSRF


119/196

WEB + MOBILE


a) Find Private Account pictures image_idUsertags Feed Authorization Bypass

119


120/196

WEB + MOBILE




120

O


121/196

WEB + MOBILE




121

After reviewing the issue you have reported, we have decided to award you abounty of $1000.

WEB MOBILE


122/196

WEB + MOBILE


122

WEB MOBILE


123/196

WEB + MOBILE


123

GETinstead ofPOST

CSRF

attack surface

WEB MOBILE


124/196

WEB + MOBILE

7. Email Address Account Enumeration

124

WEB MOBILE


125/196

WEB + MOBILE


125

WEB MOBILE


126/196

WEB + MOBILE


126

WEB + MOBILE


127/196

WEB + MOBILE


127

WEB + MOBILE


128/196

WEB + MOBILE


128

WEB + MOBILE


129/196

WEB + MOBILE


129


WEB + MOBILE


130/196

WEB + MOBILE


130


131/196

WEB + MOBILE


132/196

WEB + MOBILE

8. Account Takeover via Change Email Functionality

132

WEB + MOBILE


133/196

WEB + MOBILE


133

Spot the difference

WEB + MOBILE


134/196

WEB + MOBILE


134

WEB + MOBILE


135/196

WEB + MOBILE


135

WEB + MOBILE


136/196

WEB + MOBILE


136

WEB + MOBILE


137/196

WEB + MOBILE


137

WEB + MOBILE


138/196

WEB + MOBILE


a. Unconfirmed Email Address Reset to Default

138

WEB + MOBILE


139/196

WEB + MOBILE



139


140/196

WEB + MOBILE


141/196

WEB + MOBILE



141

WEB + MOBILE


142/196

WEB + MOBILE



142

WEB + MOBILE


143/196

WEB + MOBILE



143

WEB + MOBILE


144/196

WEB + MOBILE



144

WEB + MOBILE


145/196

WEB + MOBILE


b. Reclaim Email Address Link Invalidation

145

User Email address(es)victim [email protected]

attacker [email protected]@gmail.com

WEB + MOBILE


146/196

WEB + MOBILE

146

Scenario: Assume temporary access for an attacker to victim session

Man-in-the-Middle(before SSL Pinning)

Physical access tounlocked phone

Cross-site ScriptingVulnerability



WEB + MOBILE

Attacker


147/196

WEB + MOBILE

147



WEB + MOBILE

Attacker


148/196

WEB + MOBILE

148



WEB + MOBILE

Attacker


149/196

WEB + MOBILE

149



WEB + MOBILE

Attacker


150/196

WEB + MOBILE

150



WEB + MOBILE

Attacker


151/196

WEB + MOBILE

151



WEB + MOBILE

Attacker


152/196

WEB + MOBILE

152



WEB + MOBILE

Attacker


153/196

WEB + MOBILE

153



WEB + MOBILE

Attacker


154/196

WEB + MOBILE

154



WEB + MOBILE


155/196

WEB MOBILE

155

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/

OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz

FAZ21haWwuY29t/

https://instagram.com/accounts/disavow/xjo94i/

TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ

AZ21haWwuY29t/

Currently ownsvictim account



WEB + MOBILE

Victim


156/196

WEB MOBILE



156

WEB + MOBILE

Victim


157/196

WEB MOBILE



157

WEB + MOBILE


158/196

WEB MOBILE



158

Currently ownsvictim account

Victim Attacker




FAZ21haWwuY29t/



AZ21haWwuY29t/

WEB + MOBILE

Attacker


159/196

WEB MOBILE



159

WEB + MOBILE

Attacker


160/196



160

WEB + MOBILE


161/196



161

Wins!

Victim Attacker




FAZ21haWwuY29t/



AZ21haWwuY29t/

WEB + MOBILE


162/196



162


WEB + MOBILE


163/196


163

WEB + MOBILE


164/196


164Mail to wrongemail address

Allow chaining of“secure account”

links

MOBILE


165/196

9. Private Account Users Following

165

MOBILE


166/196


166

MOBILE


167/196


167

GET /api/v1/discover/su_refill/?target_id=2036044526 HTTP/1.1Host: i.instagram.comConnection: Keep-Alive

Cookie:sessionid=IGSCd064c22cd43d17a15dca6bc3a903cb18e8f9e292a859c9d1289ba268103ee563%3A1WJvjHstqAnPj0i5dcjVRpgcn3wCRQgk%3A%7B%22_token_ver%22%3A1%2C%22_auth_user_id%22%3A2028428082%2C%22_token%22%3A%222028428082%3AYeZzCYWQLGD8D7d3NzFIbBiWlYJVVa7G%3A078ae8d72b72846a6431945fd59c38f1b04b8f93dd6ec4b20165693e65b21915%22%2C%22_auth_u

ser_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22%2C%22last_refreshed%22%3A1441031445.81182%2C%22_platform%22%3A1%7D; ds_user=pentestingvictim

MOBILE


168/196


168


{"status": "ok","items": [{

"caption": "","social_context": "Based on follows","user":{

"username": "springsteen","has_anonymous_profile_picture": false,"profile_pic_url": "http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-

xfa1\/t51.2885-19\/11370983_1020871741276370_1099684925_a.jpg","full_name": "Bruce Springsteen",

"pk": "517058514","is_verified": true,"is_private": false

},"algorithm": "chaining_refill_algorithm","thumbnail_urls": ["http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-xfa1\/t51.2885-

15\/s150x150\/e35\/11373935_872054516217170_419659415_n.jpg?"],

MOBILE


169/196


169

{"caption": "","social_context": "Based on follows","user":{

"username": "pentesttest","has_anonymous_profile_picture": true,"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg","full_name": "rest","pk": "1966431878","is_verified": false,"is_private": true

},"algorithm": "chaining_refill_algorithm","thumbnail_urls": [],

"large_urls": [],"media_infos": [],"media_ids": [],"icon": ""

}]}

MOBILE


170/196


170

{"caption": "","social_context": "Based on follows","user":{

"username": "pentesttest","has_anonymous_profile_picture": true,"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg","full_name": "rest","pk": "1966431878","is_verified": false,"is_private": true

},"algorithm": "chaining_refill_algorithm","thumbnail_urls": [],

"large_urls": [],"media_infos": [],"media_ids": [],"icon": ""

}]}

MOBILE


171/196


171

After reviewing the issue you have reported, we have decided to award you abounty of $2,500 USD.

MOBILE


172/196


172

MOBILE


173/196


173

MOBILE


174/196

10. Steal Money Through Premium Rate Phone Numbers

174

MOBILE


175/196


175

MOBILE


176/196


176


177/196

MOBILE


178/196


178

MOBILE


179/196


179

MOBILE


180/196


180

MOBILE


181/196


181

This is intentional behavior in our product. We do not consider it a securityvulnerability, but we do have controls in place to monitor and mitigate abuse.

MOBILE


182/196


182


MOBILE


183/196


183


MOBILE


184/196


184

1 account 100 accounts

$2 / h $200 / h

$48 / day $4.800 / day

$1.440 / month $144.000 / month

MOBILE


185/196


185

Hello again! We'll be doing some fine-tuning of our rate limits and work on theservice used for outbound calls in response to this submission, so this issue willbe eligible for a whitehat bounty. You can expect an update from us again whenthe changes have been made. Thanks!

...


MOBILE


186/196


186

MOBILE


187/196


187


188/196

CONCLUSION

188

CONCLUSION


189/196

189

# Vulnerability Category Bounty

1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0

2 Employee Email Authentication Brute-Force Lockout Infrastructure $0

3 Public Profile Tabnabbing Web $0

4 Web Server Directory Enumeration Web $500

5 Private Account Shared Pictures Token Entropy Hybrid $1000

6 Private Account Shared Pictures CSRF Hybrid $1000

7 Email Address Account Enumeration Hybrid $750

8 Account Takeover via Change Email Functionality Hybrid $20009 Private Account Users Following Mobile $2500

10 Steal Money Through Premium Rate Phone Numbers Mobile $2000 + 1

Total $9750 + 1


190/196

CONCLUSION


191/196

191

46%

39%

15%

SDLC Mapping Summary

Development (6)

Design (5)

Maintenance (2)

CONCLUSION


192/196

192#20/152

Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks

CONCLUSION


193/196

193#3/13

Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks

CONCLUSION


194/196

194

Hunting Reporting Disclosing

CONCLUSION


195/196

195

# Vulnerability Category Bounty

11 XXXX Mobile ?

12 XXXX Mobile ?

13 XXXX Mobile ?

14 XXXX Web ?

15 XXXX Infrastructure ?Total ?

THANK YOU! ANY QUESTIONS?


196/196

Documents

10 Interesting Vulnerabilities in Instagram Arne Swinnen