Top Banner
THE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ARNE SWINNEN @ARNESWINNEN HTTPS://WWW.ARNESWINNEN.NET
196

10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

Feb 22, 2018

Download

Documents

DinhThuy
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

THE TALES OF A BUG BOUNTY HUNTER:

10 INTERESTING VULNERABILITIES IN

INSTAGRAM

ARNE SWINNEN

@ARNESWINNEN

HTTPS://WWW.ARNESWINNEN.NET

Page 2: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

• Arne Swinnen from Belgium, 26 years old

• IT Security Consultant since 2012

• Companies I have directly worked for:

WHOAMI

2

Currently Past

One packer to rule them all Cyber Security Challenge

Belgium

Page 3: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

AGENDA

• Introduction

• Setup

• Man-in-the-Middle

• Signature Key Phishing

• APK Decompilation

• Vulnerabilities

• Infrastructure: 2

• Web: 2

• Hybrid: 4

• Mobile: 2

• Conclusion

• Q&A

3

Page 4: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INTRO

4

Page 5: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INTRODUCTION

5

Motivation

• Intention since 2012

• CTF-like, with rewards

• Write-ups

Timing

• Since April 2015

• Time spent: +-6 weeks

• Vacations sacrificed

Page 6: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INTRODUCTION

• “Facebook for Mobile Pictures”: iOS & Android Apps, Web

• 400+ Million Monthly Active Users in September 2015

• Included in Facebook’s Bug Bounty Program

6

Page 7: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INTRODUCTION

7

Private account Public account

Page 8: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SETUP

8

Page 9: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

9

Page 10: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

10

Page 11: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 1: Android Wifi Proxy Settings

11

Page 12: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 1: Android Wifi Proxy Settings (ctd.)

Instagram v6.18.0

25/03/2015

12

Page 13: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 1: Android Wifi Proxy Settings (ctd.)

Instagram v6.18.0

25/03/2015

13

Page 14: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point

Personal Android device

USB Tethering ONPersonal Macbook Pro

Internet Sharing via WiFi ON

Android Test Device

Connected to Ad-hoc Network14

Page 15: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Page 16: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Instagram v6.18.0

25/03/2015

16

Page 17: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Instagram v6.18.0

25/03/2015

17

Page 18: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Instagram v7.10.0

05/11/2015

18

Page 19: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 2: Ad-hoc WiFi Access Point (ctd.)

Instagram v7.10.0

05/11/2015

19

Page 20: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning

20

Page 21: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning

21

Page 22: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 4: Ad-hoc WiFi AP & Smali Bypass

22

Page 23: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)

23

Page 24: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MAN-IN-THE-MIDDLE

• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)

24

Page 25: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

25

Page 26: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

signed_body=

0df7827209d895b1478a35a1882a9e1c8

7d3ba114cf8b1f603494b08b5d093b1.

{"_csrftoken":"423d22c063a801f468f2

1d449ed8a103","username":"abc","gu

id":"b0644495-5663-4917-b889-

156f95b7f610","device_id":"android-

f86311b4vsa5j7d2","password":"abc",

"login_attempt_count":"11"}

SIGNATURE KEY PHISHING

26

HMAC

SHA256

Page 27: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

signed_body=

0df7827209d895b1478a35a1882a9e1c8

7d3ba114cf8b1f603494b08b5d093b1.

{"_csrftoken":"423d22c063a801f468f2

1d449ed8a103","username":"abc","gu

id":"b0644495-5663-4917-b889-

156f95b7f610","device_id":"android-

f86311b4vsa5j7d2","password":"abc",

"login_attempt_count":"11"}

SIGNATURE KEY PHISHING

27

HMAC

SHA256

Page 28: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

28

Page 29: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

HMAC

SHA256

Key

29

Page 30: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

30

Page 31: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

c1c7d84501d2f0df05c378f5efb9120909ecfb39dff5494aa361ec0deadb509a

Source: http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/

31

Page 32: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

32

Page 33: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

33

Page 34: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

34

Page 35: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

35

Page 36: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

36

Page 37: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

SIGNATURE KEY PHISHING

37

Page 38: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

APK DECOMPILATION

1. Decompile APK to java source code (d2j-dex2jar & jd-cli)

?

38

Page 39: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

APK DECOMPILATION

1. Decompile APK to java source code (d2j-dex2jar & jd-cli)

2. Identify endpoints & compare APK versions programmatically

grep -roE \'"[^":\. ]+/[^":\. ]*"\‘

39

Page 40: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

APK DECOMPILATION

1. Decompile APK to java source code (d2j-dex2jar & jd-cli)

2. Identify endpoints & compare APK versions programmatically

40

Page 41: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

APK DECOMPILATION

1. Decompile APK to java source code (d2j-dex2jar & jd-cli)

2. Identify endpoints & compare APK versions programmatically

3. Test old (legacy code) & monitor new endpoints (fresh code)

41

Page 42: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

VULNERABILITIES

42

Page 43: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

43

# python subbrute.py instagram.com

Page 44: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

44

# python subbrute.py instagram.com

instagram.com

www.instagram.com

blog.instagram.com

i.instagram.com

admin.instagram.com

mail.instagram.com

support.instagram.com

help.instagram.com

platform.instagram.com

api.instagram.com

business.instagram.com

bp.instagram.com

graphite.instagram.com

...

Page 45: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

45

Page 46: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

46

Page 47: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

47

Page 48: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

48

How to exploit?

Page 49: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

a) Claim 10.* IP on local network & start local webserver of

http://graphite.instagram.com

b) Lure victim into browsing to http://graphite.instagram.com

and serve login page of https://www.instagram.com

c) Hope that the victim provides credentials

49

Page 50: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

50

Local network

access

Social

Engineering

Page 51: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

51

Local network

access

Social

Engineering

Page 52: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

52

Domain=instagram.com httponly

Page 53: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

53

Page 54: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

a) Claim 10.* IP on local network & start local webserver of

http://graphite.instagram.com

b) Lure victim into browsing to http://graphite.instagram.com

while being authenticated to https://www.instagram.com

c) Copy session cookie & hijack session

54

Page 55: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

55

Local network

access

Social

Engineering

Page 56: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

56

Thank you for your reply. This issue has been discussed at great lengths with the

Facebook Security Team and while this behavior may be changed at some point

in the future, it is not eligible for the bug bounty program. Although this issue

does not qualify we appreciate your report and will follow up with you on any

security bugs or with any further questions we may have.

Thanks and good luck with future bug hunting!

Page 57: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

57

Thank you for your reply. This issue has been discussed at great lengths with the

Facebook Security Team and while this behavior may be changed at some point

in the future, it is not eligible for the bug bounty program. Although this issue

does not qualify we appreciate your report and will follow up with you on any

security bugs or with any further questions we may have.

Thanks and good luck with future bug hunting!

Page 58: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

58

Page 59: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

59Source: https://exfiltrated.com/research-Instagram-RCE.php

Page 60: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

60Source: https://exfiltrated.com/research-Instagram-RCE.php

Page 61: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

61$2500

Source: https://exfiltrated.com/research-Instagram-RCE.php

Page 62: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

62

Page 63: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

1. Instagram.com Subdomain Hijacking on Local Network

63

Subdomains

resolve to

local IPs 10.*

Session

cookie

scoped to all

subdomains

Page 64: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

64

Page 65: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

65

Page 66: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

66

Page 67: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

67

Page 68: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

a) Outdated Proofpoint Protection Server (7.1 < 7.5)

b) Brute-force possible against exposed login screens

68

Page 69: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

a) Outdated Proofpoint Protection Server (7.1 < 7.5)

b) Brute-force possible against exposed login screens

69

Thank you for your patience here. After discussions with the product team and

the security team, we have determined that this report does not pose a

significant risk to user security and/or privacy. As such, this report is not eligible

for our bug bounty program.

Page 70: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

a) Outdated Proofpoint Protection Server (7.1 < 7.5)

b) Brute-force possible against exposed login screens

70

Thank you for your patience here. After discussions with the product team and

the security team, we have determined that this report does not pose a

significant risk to user security and/or privacy. As such, this report is not eligible

for our bug bounty program.

Page 71: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

71

Page 72: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

INFRASTRUCTURE

2. Employee Email Authentication Brute-Force Lockout

72

Page 73: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

73

Page 74: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

74

Page 75: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

75

Page 76: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

76

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-

window-opener-location-replace/

We have previously been made aware of this issue and are in the process of

investigating it. Thank you for submitting it to us. Please send along any

additional security issues you encounter.

Page 77: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

77

http://blog.whatever.io/2015/03/07/on-the-security-implications-of-

window-opener-location-replace/

We have previously been made aware of this issue and are in the process of

investigating it. Thank you for submitting it to us. Please send along any

additional security issues you encounter.

Page 78: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

78

Page 79: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

3. Public Profile Tabnabbing

79

Page 80: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

80https://instagram.com

Page 81: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

81https://instagram.com/?hl=en

Page 82: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

82https://instagram.com/?hl=./en

Page 83: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

83

Page 84: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

84

Page 85: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

85https://instagram.com/?hl=../locale/en

Page 86: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

86https://instagram.com/?hl=../LOCALE/EN

Page 87: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

87https://instagram.com/?hl=../wrong/en

Page 88: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

88

Page 89: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

89

42 hits for

../<GUESS>/../locale/nl/

Page 90: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

90

Thank you for sharing this information with us. Although this issue does not

qualify as a part of our bounty program we appreciate your report. We will

follow up with you on any security bugs or with any further questions we may

have.

Page 91: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

91

Thank you for sharing this information with us. Although this issue does not

qualify as a part of our bounty program we appreciate your report. We will

follow up with you on any security bugs or with any further questions we may

have.

Page 92: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

92

My apologies on my previous reply, it was intended for another report.

After reviewing the issue you have reported, we have decided to award you a

bounty of $500 USD.

Page 93: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

93

My apologies on my previous reply, it was intended for another report.

After reviewing the issue you have reported, we have decided to award you a

bounty of $500 USD.

Page 94: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

94

There is one thing I'd like to add here. I have not tested this attack for obvious

reasons, but wouldn't the following request have resulted in a Denial of Service

attack?:

https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/random%00

https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/urandom%00

31/08/2015

Application

DDOS

Page 95: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

95

Have you already found some time to consider my last response?

18/10/2015

Page 96: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

96

Thanks for being patient. When we considered the initial report, we had already

accounted for the possibility of reading files such as /dev/random and

/dev/urandom, and the reward is still $500. The act of reading those files does

not significantly affect our infra-structure too much as we have systems in place

to deal with unresponsive servers.

29/12/2015

Page 97: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

97

Thanks for being patient. When we considered the initial report, we had already

accounted for the possibility of reading files such as /dev/random and

/dev/urandom, and the reward is still $500. The act of reading those files does

not significantly affect our infra-structure too much as we have systems in place

to deal with unresponsive servers.

29/12/2015

Page 98: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

98

Page 99: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB

4. Web Server Directory Enumeration

99

Page 100: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

100

{

"status": "ok",

"media": {

"organic_tracking_token":

"eyJ2ZXJzaW9uIjozLCJwYXlsb2FkIjp7ImlzX2FuYWx5dGljc190cmFja2VkIjpmYWx

zZSwidXVpZCI6IjYxNGMwYzk1MDRlNDRkMWU4YmI3ODlhZTY3MzUxZjNlIn0sIn

NpZ25hdHVyZSI6IiJ9",

"client_cache_key": "MTExODI1MTg5MjE1NDQ4MTc3MQ==.2",

"code": "-E1CvRRrxr",

(...SNIP...)

"media_type": 1,

"pk": 1118251892154481771,

"original_width": 1080,

"has_liked": false,

"id": "1118251892154481771_2036044526"

},

"upload_id": "1447526029474"

}

Page 101: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

101

Private

account

Page 102: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

102

Private

account

Page 103: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

103

Private

account

Page 104: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

104

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1

Host: i.instagram.com

HTTP/1.1 200 OK

(…SNIP…)

{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}

Page 105: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

105

Private

account

Page 106: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

106

@Kevin

Pk: 3

@MikeyK

Pk: 4

@BritneySpears

Pk: 12246775

@msvigdis

Pk: 122467761pJ1DhgBD- 159sxaABXG 16jJhVG8HU iV93JDG8Ue

1kHzf_gBLp 1onIDogBf3 1yFoqcm8D9 XMUVDFm8X8

0-pshJgBAg 0yi-hjgBaE 1tejnLm8Co VuWAQam8Xv

09pY_OgBPX 0k_oZWABSU 1r59lSm8GX Vj81GHm8W9

0l1GTXABDo 0gboKEgBYr 1qrMPRG8AB UEoTBAG8Sy

0k_apGABDm 0UDrVFgBVJ 1ghW7RG8B2 TfpmTGm8QP

0f5P_6ABOe z-maEDgBWK 1T3KHhm8N2 TWbKzfm8f-

0GEiJKABAC z5HB2BgBbj 1Q2H_WG8LX TVOOKEm8To

0BuHO9ABOx zxeRSGgBaL 1OywdMm8Lf TThPzXm8cm

z-9x5aABEq zSqgd5ABco 1H2JvGG8DL TS3Swlm8dZ

z8QVuXABD6 zQ6VkUABdH 08dtcTG8Hb TOtd3tm8Ve

z4vsirABO4 zJDzvRgBbR 00exOYm8Br TOfRfAm8aZ

z2KV0OgBIE zBrTlsABXv 0yXTU6m8MN TJikVLm8W9

Page 107: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

107

Page 108: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

108

Private victim account

(monitored by attacker)

Public attacker account

(generated right after monitor hit)1yCwjTJRnk 1yCwodpTlC

1yC05mJRnq 1yC0_ApTlL

1yC5PqpRnu 1yC5UopTlX

1yC9nTJRnw 1yC9repTlk

1yDGULpRn9 1yDGaDpTl1

1yDKrvpRoB 1yDKvtJTl8

1yDPCCpRoI 1yDPHVpTl_

1yDTZGpRoO 1yDTdvpTmH

1yDXxRpRoW 1yDX1fJTmP

1yDgdBpRol 1yDgj6JTmb

1yDk1qpRop 1yDk6ypTme

1yD6mjpRpT 1yD6sCpTnL

1yEDSqpRpn 1yEDXYJTnU

1yEHpNJRpt 1yEHuTpTnc

1yEQWTpRqD 1yEQb3pTnw

1yEUtCJRqL 1yEUyJJTn5

1yEZEKJRqU 1yEZI3pToI

1yEdaxpRqe 1yEdfEpToO

Page 109: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

• These tokens represent identifiers based on the following alphabet: A-Za-z0-9_- (64 characters in total)

• The first 6 characters are global, incremental identifiers

• The 7th character only differs between 2 possibilities and is based on the “Pk” of each user

• The 8th character is constant per user and is also based on the “Pk” of each user

• The 9th and 10th character are user-specific incremental identifiers with the same alphabet as the global identifier (see above)

109

Page 110: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

• These tokens represent identifiers based on the following alphabet: A-Za-z0-9_- (64 characters in total)

• The first 6 characters are global, incremental identifiers

• The 7th character only differs between 2 possibilities and is based on the “Pk” of each user

• The 8th character is constant per user and is also based on the “Pk” of each user

• The 9th and 10th character are user-specific incremental identifiers with the same alphabet as the global identifier (see above)

110

Page 111: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

Entropy: 64^6 = 68.719.476.736 possibilities

• The 7th character only differs between 2 possibilities and is

based on the “Pk” of each user

• The 8th character is constant per user and is also based on the

“Pk” of each user

Final entropy: 2 * 64^4 = 33.554.432 possibilities

Feasible!

111

Page 112: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

112

After reviewing the issue you have reported, we have decided to award you a

bounty of $1000 USD.

Page 113: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

113

Page 114: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

5. Private Account Shared Pictures Token Entropy

114

Page 115: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

115

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1

Host: i.instagram.com

User-Agent: Instagram 7.10.0 Android (19/4.4.4; 320dpi; 768x1184; LGE/google;

Nexus 4; mako; mako; en_US)

Cookie:

sessionid=IGSC0098a4bee11b593953fd4a3fe0695560f407a103d8eef9f5be083ff2

1e186673:PEVejQeSkS2p8WYxAEgtyUWdXz9STvKM:{"_token_ver":1,"_auth_us

er_id":2036044526,"_token":"2036044526:7DcRpg1d0ve5T0NkbToN5yVleZUh0Ifh

:571e05df8ecd8de2efc47dca5f222720233234f6f0511fb20e0ad42c1302ea27","_au

th_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last_refre

shed":1447525940.04528,"_platform":1}

HTTP/1.1 200 OK

(…SNIP…)

{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}

Page 116: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

116

GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1

Host: i.instagram.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Cookie:

sessionid=IGSCffa96a73743adba6c93194ae05041159e0cf6ede2627ae3735c3aa

9079cfe853:EasK95PNVAy5CUCA8RnhXrFsCy6I6S5R:{"_token_ver":1,"_auth_us

er_id":2036044526,"_token":"2036044526:QTKFc7soS0BHa61aqjAmoqLQ3B3hD

kLd:d567a7909eb6db0bc766c5f1f168ae2c5e3086aae93c67273cda175933d96162

","_auth_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last

_refreshed":1447628626.205864,"_platform":4}

HTTP/1.1 200 OK

(…SNIP…)

{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}

Page 117: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

117

CSRF

Page 118: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

118

a) Find Private Account pictures image_id

b) Find permalink of Shared Private Account picture

CSRF

Page 119: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

a) Find Private Account pictures image_id

Usertags Feed Authorization Bypass

119

Page 120: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

a) Find Private Account pictures image_id

b) Find permalink of Shared Private Account picture

120

Page 121: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

a) Find Private Account pictures image_id

b) Find permalink of Shared Private Account picture

121

After reviewing the issue you have reported, we have decided to award you a

bounty of $1000.

Page 122: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

122

Page 123: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

6. Private Account Shared Pictures CSRF

123

GET

instead of

POST

CSRF

attack surface

Page 124: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

124

Page 125: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

125

Page 126: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

126

Page 127: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

127

Page 128: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

128

Page 129: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

129

After reviewing the issue you have reported, we have decided to award you a

bounty of $750 USD.

Page 130: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

130

Page 131: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

7. Email Address Account Enumeration

131

Page 132: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

132

Page 133: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

133

Spot the difference

Page 134: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

134

Page 135: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

135

Page 136: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

136

Page 137: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

137

Page 138: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

138

Page 139: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

139

Page 140: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

140

Page 141: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

141

Page 142: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

142

Page 143: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

143

Page 144: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

a. Unconfirmed Email Address Reset to Default

144

Page 145: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

145

User Email address(es)

victim [email protected]

attacker [email protected]

[email protected]

Page 146: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

146

Scenario: Assume temporary access for an attacker to victim session

Man-in-the-Middle

(before SSL Pinning)

Physical access to

unlocked phone

Cross-site Scripting

Vulnerability

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 147: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

147

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 148: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

148

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 149: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

149

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 150: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

150

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 151: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

151

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 152: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

152

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 153: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

153

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 154: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

154

Attacker

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 155: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

155

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/

OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz

FAZ21haWwuY29t/

https://instagram.com/accounts/disavow/xjo94i/

TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ

AZ21haWwuY29t/

Currently owns

victim account

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

Page 156: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

156

Victim

Page 157: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

157

Victim

Page 158: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

158

Currently owns

victim account

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/

OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz

FAZ21haWwuY29t/

https://instagram.com/accounts/disavow/xjo94i/

TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ

AZ21haWwuY29t/

Page 159: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

159

Attacker

Page 160: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

160

Attacker

Page 161: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

161

Wins!

Victim Attacker

Email [email protected] [email protected]

Reclaim link https://instagram.com/accounts/disavow/xjo94i/

OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz

FAZ21haWwuY29t/

https://instagram.com/accounts/disavow/xjo94i/

TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ

AZ21haWwuY29t/

Page 162: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

b. Reclaim Email Address Link Invalidation

162

After reviewing the issue you have reported, we have decided to award you a

bounty of $2000 USD.

Page 163: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

163

Page 164: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

WEB + MOBILE

8. Account Takeover via Change Email Functionality

164Mail to wrong

email address

Allow chaining of

“secure account”

links

Page 165: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

165

Page 166: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

166

Page 167: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

167

GET /api/v1/discover/su_refill/?target_id=2036044526 HTTP/1.1

Host: i.instagram.com

Connection: Keep-Alive

Cookie:

sessionid=IGSCd064c22cd43d17a15dca6bc3a903cb18e8f9e292a859c9d1289ba26

8103ee563%3A1WJvjHstqAnPj0i5dcjVRpgcn3wCRQgk%3A%7B%22_token_ver%

22%3A1%2C%22_auth_user_id%22%3A2028428082%2C%22_token%22%3A%2

22028428082%3AYeZzCYWQLGD8D7d3NzFIbBiWlYJVVa7G%3A078ae8d72b728

46a6431945fd59c38f1b04b8f93dd6ec4b20165693e65b21915%22%2C%22_auth_u

ser_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22

%2C%22last_refreshed%22%3A1441031445.81182%2C%22_platform%22%3A1%

7D; ds_user=pentestingvictim

Page 168: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

168

HTTP/1.1 200 OK

(…SNIP…)

{

"status": "ok",

"items": [

{

"caption": "",

"social_context": "Based on follows",

"user":

{

"username": "springsteen",

"has_anonymous_profile_picture": false,

"profile_pic_url": "http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-

xfa1\/t51.2885-19\/11370983_1020871741276370_1099684925_a.jpg",

"full_name": "Bruce Springsteen",

"pk": "517058514",

"is_verified": true,

"is_private": false

},

"algorithm": "chaining_refill_algorithm",

"thumbnail_urls": ["http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-xfa1\/t51.2885-

15\/s150x150\/e35\/11373935_872054516217170_419659415_n.jpg?"],

Page 169: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

169

{

"caption": "",

"social_context": "Based on follows",

"user":

{

"username": "pentesttest",

"has_anonymous_profile_picture": true,

"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",

"full_name": "rest",

"pk": "1966431878",

"is_verified": false,

"is_private": true

},

"algorithm": "chaining_refill_algorithm",

"thumbnail_urls": [],

"large_urls": [],

"media_infos": [],

"media_ids": [],

"icon": ""

}]

}

Page 170: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

170

{

"caption": "",

"social_context": "Based on follows",

"user":

{

"username": "pentesttest",

"has_anonymous_profile_picture": true,

"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg",

"full_name": "rest",

"pk": "1966431878",

"is_verified": false,

"is_private": true

},

"algorithm": "chaining_refill_algorithm",

"thumbnail_urls": [],

"large_urls": [],

"media_infos": [],

"media_ids": [],

"icon": ""

}]

}

Page 171: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

171

After reviewing the issue you have reported, we have decided to award you a

bounty of $2,500 USD.

Page 172: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

172

Page 173: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

9. Private Account Users Following

173

Page 174: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

174

Page 175: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

175

Page 176: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

176

Page 177: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

177

Page 178: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

178

Page 179: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

179

Page 180: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

180

Page 181: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

181

This is intentional behavior in our product. We do not consider it a security

vulnerability, but we do have controls in place to monitor and mitigate abuse.

Page 182: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

182

This is intentional behavior in our product. We do not consider it a security

vulnerability, but we do have controls in place to monitor and mitigate abuse.

Page 183: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

183

This is intentional behavior in our product. We do not consider it a security

vulnerability, but we do have controls in place to monitor and mitigate abuse.

Page 184: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

184

1 account 100 accounts

$2 / h $200 / h

$48 / day $4.800 / day

$1.440 / month $144.000 / month

Page 185: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

185

Hello again! We'll be doing some fine-tuning of our rate limits and work on the

service used for outbound calls in response to this submission, so this issue will

be eligible for a whitehat bounty. You can expect an update from us again when

the changes have been made. Thanks!

...

After reviewing the issue you have reported, we have decided to award you a

bounty of $2000 USD.

Page 186: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

186

Page 187: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

MOBILE

10. Steal Money Through Premium Rate Phone Numbers

187

Page 188: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

188

Page 189: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

189

# Vulnerability Category Bounty

1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0

2 Employee Email Authentication Brute-Force Lockout Infrastructure $0

3 Public Profile Tabnabbing Web $0

4 Web Server Directory Enumeration Web $500

5 Private Account Shared Pictures Token Entropy Hybrid $1000

6 Private Account Shared Pictures CSRF Hybrid $1000

7 Email Address Account Enumeration Hybrid $750

8 Account Takeover via Change Email Functionality Hybrid $2000

9 Private Account Users Following Mobile $2500

10 Steal Money Through Premium Rate Phone Numbers Mobile $2000 + 1

Total $9750 + 1

Page 190: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

190

# Vulnerability Category Bounty

1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0

2 Employee Email Authentication Brute-Force Lockout Infrastructure $0

3 Public Profile Tabnabbing Web $0

4 Web Server Directory Enumeration Web $1000

5 Private Account Shared Pictures Token Entropy Hybrid $1000

6 Private Account Shared Pictures CSRF Hybrid $2000

7 Email Address Account Enumeration Hybrid $1500

8 Account Takeover via Change Email Functionality Hybrid $2000

9 Private Account Users Following Mobile $2500

10 Steal Money Through Premium Rate Phone Numbers Mobile $4000 + 1

Total $14000 + 1

https://www.letuschange.net

Page 191: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

191

46%

39%

15%

SDLC Mapping Summary

Development (6)

Design (5)

Maintenance (2)

Page 192: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

192#20/152

Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks

Page 193: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

193#3/13

Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks

Page 194: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

194

Hunting Reporting Disclosing

Page 195: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

CONCLUSION

195

# Vulnerability Category Bounty

11 XXXX Mobile ?

12 XXXX Mobile ?

13 XXXX Mobile ?

14 XXXX Web ?

15 XXXX Infrastructure ?

Total ?

Page 196: 10 Interesting vulnerabilities in Instagram - Arne Swinnen · PDF fileTHE TALES OF A BUG BOUNTY HUNTER: 10 INTERESTING VULNERABILITIES IN INSTAGRAM ... •Signature Key Phishing ...

THANK YOU! ANY QUESTIONS?

196