4 min read

20 million Instagram accounts were put at risk through sloppy security hole

Graham CLULEY

May 24, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
20 million Instagram accounts were put at risk through sloppy security hole

A bug bounty of US $5,000 has been awarded to a Belgian vulnerability researcher who uncovered two methods by which malicious hackers could brute force their way into Instagram accounts.

Arne Swinnen says that he discovered two distinct vulnerabilities which could – when combined with the site’s weak password policies, and a lack of two-factor authentication and other mitigating security controls – have allowed an attacker to break into accounts, including those belonging to high profile celebrities.

If high profile accounts had been hacked, they could have been exploited to send spam messages and malicious links to millions of followers, and potentially opened opportunities for embarrassing initimate photo leaks like those seen during 2014’s notorious Celebgate.

The first flaw existed in Instagram’s Android app, which correctly blocked incorrect password guesses after 1000 attempts from the same IP address but then (bizarrely) allowed them on every other attempt after the 2000th.

Swinnen described in a blog post how he was able to create a “quick-and-dirty” Python script which could launch a brute force attack of 10000 popular passwords against an Instagram test account:

“This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received. The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt.”

Swinnen noted that the site also failed to identify that the same IP address was being used in the repeated attempts to crack the password, missing opportunities to alert that an account might be being attacked or lock it as a precautionary measure.

Additionally, the researcher uncovered a security problem with Instagram’s website – specifically how it related to user registration.

Again, Instagram did not have sufficient protection mechanisms in place – such as rate-limiting or account lockout – to prevent brute force attacks from succeeding.

Instagram was reported to have started rolling out two-step verification to better protect accounts from hackers in February, but it is thought that the system has not yet gone worldwide. That’s a shame, as it would certainly help make life much more difficult for account hackers.

Facebook, who run Instagram, has responded to Swinnen’s vulnerability reports by strengthening rate-limiting on the Instagram website.

In addition, Instagram’s password policy has been slightly hardened, and particularly dumb, easy-to-predict passwords like “123456” and “password” outlawed.

This isn’t the first time that Swinnen has uncovered serious security holes in Facebook-owned Instagram.

In March, for instance, Facebook patched a serious vulnerability in Instagram which could have allowed malicious attackers to seize control of up to 20 million locked accounts.

Swinnen uncovered that exploitation of the security flaw, combined with weak password policies being used by Instagram, could potentially allow attackers to hijack four percent of the photo-sharing site’s 500 million accounts.

Swinnen was awarded US $5,000 for his discovery which was disclosed responsibly to Facebook as part of its bug bounty program.

Swinnen’s stumbled across the vulnerabilities after he has received a verification request from Instagram when attempting to log into a test account.

instagram-1

The researcher discovered that the verification link contained an incremental numeric user ID in its URL – something with which seasoned vulnerability researchers find it hard to resist meddling.

As Swinnen changed the numeric user ID in the URL using a simple script, he was sometimes greeted with verification pages that did not offer to send a verification code to the user’s email address, but occasionally asked for another interaction from the user.

Swinnen enumerated the user ID with interesting results – sometimes exposing a security vulnerability.

In 0.17% of cases during his testing, Swinnen was asked to update the email addresses of temporarily locked accounts.

Once an account was given a new email address, a password reset could then be performed giving an unauthorised party complete access to the account.

In 3.88% of cases, the verification page would request that a phone number be entered – to which Instagram would send a security code. Again, opening clear opportunities for hackers to commandeer accounts. Worse still, the form also broke privacy by displaying account owner’s current mobile phone number.

“This case was the most troublesome, as an attacker could on one hand gather sensitive user information (pre-filled phone number in some cases), and on the other hand simply update the phone number linked to the victim Instagram account.”

“After successfully linking a new phone number, an attacker could perform the “reset password via SMS” scenario and gain complete access to the account. Big security impact, and almost 4% of all accounts affected in the one million range. A quick manual verification also learned that these were mostly human accounts which had been inactive for a couple of weeks, of which many had a good amount of followers on Instagram.”

instagram-2

With so much success finding flaws in Instagram, you have to wonder when the photo-sharing social network will offer Swinnen a full-time job.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read