What was stolen?
An independent security researcher was able to hack Instagram servers and gain access to basically all of Instagram’s secret material. Wesley Weinberg, was able to put his hands on everything from Instagram’s source code through credentials to email servers, SSL certificates and personal data of employees and users. As part of Facebook’s bounty program, Weinberg started analyzing the Instagram systems to quickly realize he had stumbled on something big.
How was the attack executed?
Initially Weinberg located a Remote Code Execution bug in the way Instagram processed user’s session cookies which are used to remember user’s login details. The web-Admin platform used by Instagram contained a hard coded Ruby secret token and the host it was running on was using an out of date Ruby version which has a known code execution flaw. Exploiting this vulnerability allowed Weinberg to force the data based to output login data and credentials of Instagram and Facebook employees. Passwords were encrypted with “bcrypt” however more than a few were using passwords such as “changeme”, “Instagram” of “password” which were easily cracked.
Searching a bit further, Weinberg also found a way to access 82 Amazon S3 buckets (Storage servers) due to Facebook and Instagram neglecting to securely store keys. At this stage Weinberg has gained access to an alarming amount of data such as:
Based on the available information on this breach, it seems that the vulnerabilities exposed here could have been avoided at their source. Open source libraries usage is very common and most developers rely on these libraries for a lot of their functionality. However it is the organization’s responsibility to make sure that vulnerable 3rd party libraries do not expose their users to security risks. Keeping open source components up to date at all times is critical for an application’s security. In addition, tight encryption policies and secure credential/key storage are basics which should be detected and mitigated during coding of the application itself.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.