Facebook was quick to fix an issue earlier this month that could’ve let an attacker break into four percent of all active, locked Instagram accounts, meaning it affected approximately one million users.
Belgium-based IT security consultant Arne Swinnen discovered the issue two weeks ago when he stumbled upon two bugs, a combination of missing authentication and an insecure direct object reference. According to a blogpost on Friday disclosing the bug, Swinnen said Facebook fixed the bug within just 24 hours.
Swinnen’s identified a handful of bugs on the photo-sharing application in the past and was just trying to verify one of his test accounts through the service’s website when he noticed the URL’s path. The page gave him the ability to verify his account by sending a code to his email, but that wasn’t the odd thing – it was that the URL contained his user ID number.
It wasn’t until Swinnen poked around further and replaced his ID number with other numbers that he discovered the lack of authentication employed by the service. By entering in the right ID numbers, Instagram could have allowed him to reset email addresses connected to temporarily locked accounts. He could have performed a password reset and gained full access to a select number of accounts, roughly 0.17% of users.
By continuing to explore and enter ID numbers, he was able to take it a step further. Another verification vector the company was using could have given him the phone number connected to an account and even allowed him to reset that number. By doing so he could’ve prompted Instagram to send an SMS message to himself to reset someone else’s password. By extrapolating his proof of concept account range he determined that about 4 percent of all existing and active accounts, roughly one million, were in a vulnerable locked state.
“After successfully linking a new phone number, an attacker could perform the ‘reset password via SMS’ scenario and gain complete access to the account,” Swinnen wrote on Friday.
“Big security impact… A quick manual verification also learned that these were mostly human accounts, which had been inactive for a couple of weeks, of which many had a good amount of followers on Instagram.”
Facebook fixed the issue by requiring authentication on pages that allow users to update their profile information like email addresses and phone numbers.
Swinnen, who works for Belgian security firm nViso, has had success poking around Instagram for bugs, especially in the past year. In 2015, through a combination of man-in-the-middle attacks, signature key phishing, and APK decompilation, he was able to find 10 bugs in Instagram’s infrastructure, web interface, and mobile interface.
For this particular bug Swinnen was awarded a bounty of $5,000 and was thanked by the company on a list it maintains of researchers who have submitted valid security reports over the years.
Wesley Wineberg, who at the time was a contract employee, but now a senior security research engineer at Synack, discovered a handful of weaknesses in Instagram last December, including some that gave him access to source code, SSL certificates, and private keys. Wineberg’s actions resulted in quite the kerfuffle – Facebook CSO Alex Stamos claimed that Wineberg’s actions went too far and called the hacks unethical. Wineberg, for what it’s worth, ultimately deleted all of the data he accessed and kept his findings private.