Facebook on Thursday patched a pair of vulnerabilities that enabled brute-force attacks against Instagram passwords, and also hardened its password policy.
Researcher Arne Swinnen privately disclosed the flaws in December and in February respectively. One bug was patched in February, while the other went through two rounds of fixes before the issue was resolved on May 10. Swinnen received a combined $5,000 bounty.
The severity of the vulnerabilities was exacerbated by Instagram’s weak password policies and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal effort, Swinnen said.
“This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones,” Swinnen wrote in a report describing details of both vulnerabilities.
In response, Instagram no longer allows simple passwords, and now requires a combination of numbers, letters and punctuation, and recommends that Instagram passwords not be used elsewhere online.
A number of factors put Instagram accounts at risk in addition to the use of incremental userIDs and weak password policy, most notably that two-factor authentication has been available only since February and many don’t use it, and there is still no account lockout policy in place Swinnen said.
The first bug affected the Instagram Android application, and allowed for a bypass of SSL pinning in the app. SSL pinning, or certificate pinning, is a mitigation for man-in-the-middle attacks that adds an extra step to certificate validation ensuring it’s trustworthy.
“In order to modify and attack this endpoint communication, a key had to be phished from the Android application, which is used to generate a HMACSHA256 signature over the POST parameters of every outgoing request,” Swinnen said.
He describes in his post that he wrote a Burp plugin that carries out a brute force against the mobile authentication endpoint. He found that he could make up to 1,000 guesses from the same IP address before a “username not found” rate-limiting message was returned.
“However, only the next consecutive 1,000 guesses resulted in the ‘username not found’ response error message,” he said. “From the 2,000th consecutive guess onward, a reliable response (password correct/incorrect) was followed by an unreliable one (user not found).
“This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received,” Swinnen said.The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt.”
Facebook patched this flaw by addressing the rate-limiting feature.
The second bug allowed for another trivial brute-force attack against the Instagram web registration endpoint that did not trigger an account lockout or other security controls, he said. He replayed the initial successful request but first removed the username and password parameters and monitored the responses. He was able to try more than 10,000 times before sending over the correct password and getting an affirmative response from the page.
Facebook’s patch involved the introduction of rate-limiting, however the initial patch released in February was ineffective, Swinnen said, and Facebook went back to the drawing board before shoring things up 10 days ago.