'Two Instagram Android App Security Vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Two Instagram Android App Security Vulnerabilities
From:       Georg Lukas <lukas () rt-solutions ! de>
Date:       2013-08-28 8:54:35
Message-ID: 8499C983E317B241B123ACD35FE860503B210063 () DB3PRD0410MB381 ! eurprd04 ! prod ! outlook ! com
[Download RAW message or body]


Affected app: Instagram for Android
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) \
affected.

# Summary

After the Instagram iOS vulnerability discovered last year [1], the app's HTTP API \
has been extended with a cryptographic authentication for changes like "likes" and \
deletes. However, the implementation of this authentication is flawed in two ways, \
making it possible to "like" or delete pictures in the name of another user, once his \
credentials have been sniffed over plain-text HTTP.

# Vulnerability 1: Partial Cryptographic Authentication

When a user issues a "like" or "delete" command from the app, an HTTP POST request is \
made to the instagram server:

	POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
	Host: instagram.com
	[more headers stripped]

	
signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%
 7D&ig_sig_key_version=4&src=timeline&d=0

The POSTed data is a set of multiple form-urlencoded parameters, with the first one \
being most interesting. The signed_body parameter is a cryptographic signature, \
concatenated with a JSON string ('{"media_id":"528086397952388638_263262746"}' in the \
example above). In that string, the media ID from the POST URL (the internal \
identifier of a picture) is encoded again, and the signature is created over exactly \
this JSON string.

Because only the media_id is authenticated, but not the action to be performed, it is \
possible for an attacker who can sniff the credentials cookie and a "Like" API \
message to forge a "Delete" message for the same image, re-using the authentication \
signature. Of course, this only works in the unlikely case where users "like" their \
own image over a public network.

# Vulnerability 2: Bad Key Choice

However, the secret key used for this authentication signature is hard-coded in the \
app. That means an attacker who can extract the key from the app is able to forge the \
cryptographic signature for any media_id desired. Once an attacker gains the \
authentication cookie (which is transmitted over plaintext HTTP by the app), he can \
delete all the pictures posted by the user so far, and also "like" or "un-like" any \
pictures available for view.

The signature key is stored in an obfuscated fashion in a combination of native and \
Java code. It is obtained by calling NativeBridge.getInstagramString("[snipped]") \
from the RequestUtil.generateSignature(String request) method. Afterwards, an \
HMAC-SHA256 signature is generated with the key over the request string. We are not \
providing proof-of-concept code for this vulnerability because making the static \
signature key public would allow scripted access to the Instagram API.

# Suggested Countermeasures

We suggest switching all communications from the app to the API server to use HTTPS, \
like already done by most other major providers. If this is not feasible, we suggest \
extending the cryptographic authentication as follows:

1.	Use a signing key that is specific to the given user and not known to third \
parties, i.e. downloaded via HTTPS or at least derived from the user’s \
username+password 2.	Add a sequence number into the signed_body field
3.	Add the POST URL or some other encoding of the action to perform into the \
signed_body, and validate it on the server

# Timeline

*	2013-07-21 We have discovered the vulnerability.
*	2013-07-23 The vendor was contacted via e-mail, there was no reply yet.
*	2013-08-07 Instagram 4.1 was published to Google Play, the issue still unfixed.
*	2013-08-26 Publication of the vulnerability.

# Contact

Please contact Georg Lukas <lukas@rt-solutions.de> from rt-solutions.de GmbH [2]with \
any further questions regarding the vulnerability.

[0] PDF version of this document:
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20App%20Security%20Vulnerability.pdf
 [1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue
[2] rt-solutions.de GmbH http://www.rt-solutions.de/

-- 
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de


["smime.p7s" (application/pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic