What was stolen?
An independent security researcher was able to hack Instagram servers and gain access to basically all of Instagram’s secret material. Wesley Weinberg, was able to put his hands on everything from Instagram’s source code through credentials to email servers, SSL certificates and personal data of employees and users. As part of Facebook’s bounty program, Weinberg started analyzing the Instagram systems to quickly realize he had stumbled on something big.
How was the attack executed?
Initially Weinberg located a Remote Code Execution bug in the way Instagram processed user’s session cookies which are used to remember user’s login details. The web-Admin platform used by Instagram contained a hard coded Ruby secret token and the host it was running on was using an out of date Ruby version which has a known code execution flaw. Exploiting this vulnerability allowed Weinberg to force the data based to output login data and credentials of Instagram and Facebook employees. Passwords were encrypted with “bcrypt” however more than a few were using passwords such as “changeme”, “Instagram” of “password” which were easily cracked.
Searching a bit further, Weinberg also found a way to access 82 Amazon S3 buckets (Storage servers) due to Facebook and Instagram neglecting to securely store keys. At this stage Weinberg has gained access to an alarming amount of data such as:
- Instagram’s source code
- SSL certificates and private keys (including for instagram.com and *.instagram.com)
- API keys that are used for interacting with other services
- Images uploaded by Instagram users
- Static content from the instagram.com website
- Email server credentials
- iOS/Android app signing keys
- Other sensitive data
- Luckily the researcher has informed FB and Instagram of the content and there seems to be no concern (hopefully) of the data landing in the wrong hands.
- Strangely enough, Facebook have disqualified some of Weinberg’s findings and threatened with a lawsuit claiming that he has accessed personal data of users and employees while uncovering the issue. Facebook has agreed to pay the bounty for detecting the vulnerable server however declined the other vulnerabilities, claiming that Weinberg violated user privacy and violated the program guidelines.
Based on the available information on this breach, it seems that the vulnerabilities exposed here could have been avoided at their source. Open source libraries usage is very common and most developers rely on these libraries for a lot of their functionality. However it is the organization’s responsibility to make sure that vulnerable 3rd party libraries do not expose their users to security risks. Keeping open source components up to date at all times is critical for an application’s security. In addition, tight encryption policies and secure credential/key storage are basics which should be detected and mitigated during coding of the application itself.