[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Two Instagram Android App Security Vulnerabilities
From: Georg Lukas <lukas () rt-solutions ! de>
Date: 2013-08-28 8:54:35
Message-ID: 8499C983E317B241B123ACD35FE860503B210063 () DB3PRD0410MB381 ! eurprd04 ! prod ! outlook ! com
[Download RAW message or body]
Affected app: Instagram for Android
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) \
affected.
# Summary
After the Instagram iOS vulnerability discovered last year [1], the app's HTTP API \
has been extended with a cryptographic authentication for changes like "likes" and \
deletes. However, the implementation of this authentication is flawed in two ways, \
making it possible to "like" or delete pictures in the name of another user, once his \
credentials have been sniffed over plain-text HTTP.
# Vulnerability 1: Partial Cryptographic Authentication
When a user issues a "like" or "delete" command from the app, an HTTP POST request is \
made to the instagram server:
POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
Host: instagram.com
[more headers stripped]
signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%
7D&ig_sig_key_version=4&src=timeline&d=0
The POSTed data is a set of multiple form-urlencoded parameters, with the first one \
being most interesting. The signed_body parameter is a cryptographic signature, \
concatenated with a JSON string ('{"media_id":"528086397952388638_263262746"}' in the \
example above). In that string, the media ID from the POST URL (the internal \
identifier of a picture) is encoded again, and the signature is created over exactly \
this JSON string.
Because only the media_id is authenticated, but not the action to be performed, it is \
possible for an attacker who can sniff the credentials cookie and a "Like" API \
message to forge a "Delete" message for the same image, re-using the authentication \
signature. Of course, this only works in the unlikely case where users "like" their \
own image over a public network.
# Vulnerability 2: Bad Key Choice
However, the secret key used for this authentication signature is hard-coded in the \
app. That means an attacker who can extract the key from the app is able to forge the \
cryptographic signature for any media_id desired. Once an attacker gains the \
authentication cookie (which is transmitted over plaintext HTTP by the app), he can \
delete all the pictures posted by the user so far, and also "like" or "un-like" any \
pictures available for view.
The signature key is stored in an obfuscated fashion in a combination of native and \
Java code. It is obtained by calling NativeBridge.getInstagramString("[snipped]") \
from the RequestUtil.generateSignature(String request) method. Afterwards, an \
HMAC-SHA256 signature is generated with the key over the request string. We are not \
providing proof-of-concept code for this vulnerability because making the static \
signature key public would allow scripted access to the Instagram API.
# Suggested Countermeasures
We suggest switching all communications from the app to the API server to use HTTPS, \
like already done by most other major providers. If this is not feasible, we suggest \
extending the cryptographic authentication as follows:
1. Use a signing key that is specific to the given user and not known to third \
parties, i.e. downloaded via HTTPS or at least derived from the user’s \
username+password 2. Add a sequence number into the signed_body field
3. Add the POST URL or some other encoding of the action to perform into the \
signed_body, and validate it on the server
# Timeline
* 2013-07-21 We have discovered the vulnerability.
* 2013-07-23 The vendor was contacted via e-mail, there was no reply yet.
* 2013-08-07 Instagram 4.1 was published to Google Play, the issue still unfixed.
* 2013-08-26 Publication of the vulnerability.
# Contact
Please contact Georg Lukas <lukas@rt-solutions.de> from rt-solutions.de GmbH [2]with \
any further questions regarding the vulnerability.
[0] PDF version of this document:
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20App%20Security%20Vulnerability.pdf
[1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue
[2] rt-solutions.de GmbH http://www.rt-solutions.de/
--
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln
Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de
["smime.p7s" (application/pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic