A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source.
The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain.
“This time I found a RFD on Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account. What we need? A token. No worries we just need to register a new user to get one,” Sopas wrote in a post explaining the bug and exploitation technique.
“Next step: Insert the batch command we want to use in the user account Bio field [and maybe others]. I’ll try to open a Chrome new window with a malicious page disabling most the protections from this browser.”
Sopas found that the technique works on Chrome, Opera, Chrome for Android, the Android stock browser and Firefox in some circumstances. In order to make it work, he also constructed a specific filename, and when a victim clicks on a link in the attacker’s Instagram message, she will be taken to an attacker-controlled page with a file that appears to be on an Instagram domain. The video above demonstrates the technique.
The attacker could host any malicious file he chooses at the target location, including malware. Sopas said he has been unable to convince Facebook security engineers that RFD issues are security vulnerabilities. He said they told him the issue was not a priority.
“Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email.
“[Imagine] a phishing campaign where the link of the email is really from Instagram?”
An Instagram spokesperson said the issue Sopas raised isn’t one covered by the Facebook bug bounty program.
“Our bug bounty program excludes reports that have no practical security implications, as well as social engineering techniques that require significant interaction from the victim because technical changes are usually not the best way to address these threats,” the spokesperson said.
This story was updated on March 25 to add the comment from Instagram.