Whatyouneed2know

What You Need to Know – Instagram Hacked

Dec 20, 2015 By Amit Ashbel

What was stolen?

 

An independent security researcher was able to hack Instagram servers and gain access to basically all of Instagram’s secret material.  Wesley Weinberg, was able to put his hands on everything from Instagram’s source code through credentials to email servers, SSL certificates and personal data of employees and users. As part of Facebook’s bounty program, Weinberg started analyzing the Instagram systems to quickly realize he had stumbled on something big.

 

How was the attack executed?

 

Initially Weinberg located a Remote Code Execution bug in the way Instagram processed user’s session cookies which are used to remember user’s login details. The web-Admin platform used by Instagram contained a hard coded Ruby secret token and the host it was running on was using an out of date Ruby version which has a known code execution flaw. Exploiting this vulnerability allowed Weinberg to force the data based to output login data and credentials of Instagram and Facebook employees.  Passwords were encrypted with “bcrypt” however more than a few were using passwords such as “changeme”, “Instagram” of “password” which were easily cracked.

 

Searching a bit further, Weinberg also found a way to access 82 Amazon S3 buckets (Storage servers) due to Facebook and Instagram neglecting to securely store keys. At this stage Weinberg has gained access to an alarming amount of data such as:

  • Instagram’s source code
  • SSL certificates and private keys (including for instagram.com and *.instagram.com)
  • API keys that are used for interacting with other services
  • Images uploaded by Instagram users
  • Static content from the instagram.com website
  • Email server credentials
  • iOS/Android app signing keys
  • Other sensitive data

 

What Now?

 

  • Luckily the researcher has informed FB and Instagram of the content and there seems to be no concern (hopefully) of the data landing in the wrong hands.
  • Strangely enough, Facebook have disqualified some of Weinberg’s findings and threatened with a lawsuit claiming that he has accessed personal data of users and employees while uncovering the issue. Facebook has agreed to pay the bounty for detecting the vulnerable server however declined the other vulnerabilities, claiming that Weinberg violated user privacy and violated the program guidelines.

 

Based on the available information on this breach, it seems that the vulnerabilities exposed here could have been avoided at their source. Open source libraries usage is very common and most developers rely on these libraries for a lot of their functionality. However it is the organization’s responsibility to make sure that vulnerable 3rd party libraries do not expose their users to security risks. Keeping open source components up to date at all times is critical for an application’s security. In addition, tight encryption policies and secure credential/key storage are basics which should be detected and mitigated during coding of the application itself.

 

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.