Post on 08-Jul-2018
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
1/196
THE TALES OF A BUG BOUNTY HUNTER:
10 INTERESTING VULNERABILITIES IN
ARNE SWINNEN
@ARNESWINNEN
HTTPS://WWW.ARNESWINNEN.NET
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
2/196
• Arne Swinnen from Belgium, 26 years old• IT Security Consultant since 2012• Companies I have directly worked for:
WHOAMI
2
Currently Past
One packer to rule them all Cyber Security Challenge
Belgium
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
3/196
AGENDA
• Introduction
• Setup
• Man-in-the-Middle
• Signature Key Phishing
• APK Decompilation
• Vulnerabilities
• Infrastructure: 2
• Web: 2
• Hybrid: 4• Mobile: 2
• Conclusion
• Q&A
3
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
4/196
INTRO
4
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
5/196
INTRODUCTION
5
Motivation
• Intention since 2012• CTF-like, with rewards• Write-ups
Timing
• Since April 2015• Time spent: +-6 weeks• Vacations sacrificed
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
6/196
INTRODUCTION
• “Facebook for Mobile Pictures”: iOS & Android Apps, Web
• 400+ Million Monthly Active Users in September 2015
• Included in Facebook’s Bug Bounty Program
6
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
7/196
INTRODUCTION
7
Private account Public account
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
8/196
SETUP
8
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
9/196
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
10/196
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
11/196
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings
11
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
12/196
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings (ctd.)
Instagram v6.18.0
25/03/2015 12
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
13/196
MAN-IN-THE-MIDDLE
• Attempt 1: Android Wifi Proxy Settings (ctd.)
Instagram v6.18.0
25/03/2015 13
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
14/196
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point
Personal Android device
USB Tethering ONPersonal Macbook Pro
Internet Sharing via WiFi ONAndroid Test Device
Connected to Ad-hoc Network 14
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
15/196
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
16/196
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v6.18.0
25/03/2015 16
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
17/196
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v6.18.0
25/03/2015 17
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
18/196
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v7.10.0
05/11/2015 18
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
19/196
MAN-IN-THE-MIDDLE
• Attempt 2: Ad-hoc WiFi Access Point (ctd.)
Instagram v7.10.0
05/11/2015 19
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
20/196
MAN-IN-THE-MIDDLE
• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning
20
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
21/196
MAN-IN-THE-MIDDLE
• Attempt 3: Ad-hoc WiFi AP & Generic Bypass Pinning
21
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
22/196
MAN-IN-THE-MIDDLE
• Attempt 4: Ad-hoc WiFi AP & Smali Bypass
22
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
23/196
MAN-IN-THE-MIDDLE
• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)
23
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
24/196
MAN-IN-THE-MIDDLE
• Attempt 4: Ad-hoc WiFi AP & Smali Bypass (ctd.)
24
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
25/196
SIGNATURE KEY PHISHING
25
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
26/196
signed_body=0df7827209d895b1478a35a1882a9e1c87d3ba114cf8b1f603494b08b5d093b1.{"_csrftoken":"423d22c063a801f468f21d449ed8a103","username":"abc","guid":"b0644495-5663-4917-b889-156f95b7f610","device_id":"android-f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}
SIGNATURE KEY PHISHING
26
HMACSHA256
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
27/196
signed_body=0df7827209d895b1478a35a1882a9e1c87d3ba114cf8b1f603494b08b5d093b1.{"_csrftoken":"423d22c063a801f468f21d449ed8a103","username":"abc","guid":"b0644495-5663-4917-b889-156f95b7f610","device_id":"android-f86311b4vsa5j7d2","password":"abc",
"login_attempt_count":"11"}
SIGNATURE KEY PHISHING
27
HMACSHA256
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
28/196
SIGNATURE KEY PHISHING
28
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
29/196
SIGNATURE KEY PHISHING
HMACSHA256
Key
29
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
30/196
SIGNATURE KEY PHISHING
30
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
31/196
SIGNATURE KEY PHISHING
c1c7d84501d2f0df05c378f5efb9120909ecfb39dff5494aa361ec0deadb509a
Source: http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/
31
http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
32/196
SIGNATURE KEY PHISHING
32
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
33/196
SIGNATURE KEY PHISHING
33
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
34/196
SIGNATURE KEY PHISHING
34
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
35/196
SIGNATURE KEY PHISHING
35
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
36/196
SIGNATURE KEY PHISHING
36
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
37/196
SIGNATURE KEY PHISHING
37
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
38/196
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
?
38
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
39/196
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
grep -roE \'"[^":\. ]+/[^":\. ]*"\‘
39
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
40/196
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
40
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
41/196
APK DECOMPILATION
1. Decompile APK to java source code (d2j-dex2jar & jd-cli)
2. Identify endpoints & compare APK versions programmatically
3. Test old (legacy code) & monitor new endpoints (fresh code)
41
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
42/196
VULNERABILITIES
42
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
43/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
43
# python subbrute.py instagram.com
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
44/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
44
# python subbrute.py instagram.cominstagram.comwww.instagram.com
blog.instagram.comi.instagram.comadmin.instagram.commail.instagram.comsupport.instagram.comhelp.instagram.com
platform.instagram.comapi.instagram.combusiness.instagram.combp.instagram.comgraphite.instagram.com...
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
45/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
45
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
46/196
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
47/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
47
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
48/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
48
How to exploit?
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
49/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver ofhttp://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
and serve login page of https://www.instagram.com
c) Hope that the victim provides credentials
49
http://graphite.instagram.com/http://graphite.instagram.com/https://www.instagram.com/https://www.instagram.com/http://graphite.instagram.com/http://graphite.instagram.com/
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
50/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
50
Local networkaccess
SocialEngineering
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
51/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
51
Local networkaccess
SocialEngineering
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
52/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
52
Domain=instagram.com httponly
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
53/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
53
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
54/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
a) Claim 10.* IP on local network & start local webserver ofhttp://graphite.instagram.com
b) Lure victim into browsing to http://graphite.instagram.com
while being authenticated to https://www.instagram.comc) Copy session cookie & hijack session
54
http://graphite.instagram.com/http://graphite.instagram.com/https://www.instagram.com/https://www.instagram.com/http://graphite.instagram.com/http://graphite.instagram.com/
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
55/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
55
Local networkaccess
SocialEngineering
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
56/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
56
Thank you for your reply. This issue has been discussed at great lengths with theFacebook Security Team and while this behavior may be changed at some pointin the future, it is not eligible for the bug bounty program. Although this issue
does not qualify we appreciate your report and will follow up with you on anysecurity bugs or with any further questions we may have.
Thanks and good luck with future bug hunting!
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
57/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
57
Thank you for your reply. This issue has been discussed at great lengths with theFacebook Security Team and while this behavior may be changed at some pointin the future, it is not eligible for the bug bounty program. Although this issue
does not qualify we appreciate your report and will follow up with you on anysecurity bugs or with any further questions we may have.
Thanks and good luck with future bug hunting!
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
58/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
58
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
59/196
INFRASTRUCTURE
59Source: https://exfiltrated.com/research-Instagram-RCE.php
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
60/196
INFRASTRUCTURE
60Source: https://exfiltrated.com/research-Instagram-RCE.php
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
61/196
INFRASTRUCTURE
61$2500
Source: https://exfiltrated.com/research-Instagram-RCE.php
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
62/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
62
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
63/196
INFRASTRUCTURE
1. Instagram.com Subdomain Hijacking on Local Network
63
Subdomainsresolve tolocal IPs 10.*
Sessioncookiescoped to allsubdomains
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
64/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
64
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
65/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
65
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
66/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
66
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
67/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
67
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
68/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
68
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
69/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
69
Thank you for your patience here. After discussions with the product team andthe security team, we have determined that this report does not pose asignificant risk to user security and/or privacy. As such, this report is not eligiblefor our bug bounty program.
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
70/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
a) Outdated Proofpoint Protection Server (7.1 < 7.5)
b) Brute-force possible against exposed login screens
70
Thank you for your patience here. After discussions with the product team andthe security team, we have determined that this report does not pose asignificant risk to user security and/or privacy. As such, this report is not eligiblefor our bug bounty program.
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
71/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
71
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
72/196
INFRASTRUCTURE
2. Employee Email Authentication Brute-Force Lockout
72
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
73/196
WEB
3. Public Profile Tabnabbing
73
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
74/196
WEB
3. Public Profile Tabnabbing
74
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
75/196
WEB
3. Public Profile Tabnabbing
75
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
76/196
WEB
3. Public Profile Tabnabbing
76
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/
We have previously been made aware of this issue and are in the process of investigating it. Thank you for submitting it to us. Please send along anyadditional security issues you encounter.
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
77/196
WEB
3. Public Profile Tabnabbing
77
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/
We have previously been made aware of this issue and are in the process of investigating it. Thank you for submitting it to us. Please send along anyadditional security issues you encounter.
http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
78/196
WEB
3. Public Profile Tabnabbing
78
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
79/196
WEB
3. Public Profile Tabnabbing
79
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
80/196
WEB
4. Web Server Directory Enumeration
80https://instagram.com
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
81/196
WEB
4. Web Server Directory Enumeration
81https://instagram.com/?hl=en
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
82/196
WEB
4. Web Server Directory Enumeration
82https://instagram.com/?hl=./en
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
83/196
WEB
4. Web Server Directory Enumeration
83
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
84/196
WEB
4. Web Server Directory Enumeration
84
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
85/196
WEB
4. Web Server Directory Enumeration
85https://instagram.com/?hl=../locale/en
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
86/196
WEB
4. Web Server Directory Enumeration
86https://instagram.com/?hl=../LOCALE/EN
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
87/196
WEB
4. Web Server Directory Enumeration
87https://instagram.com/?hl=../wrong/en
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
88/196
WEB
4. Web Server Directory Enumeration
88
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
89/196
WEB
4. Web Server Directory Enumeration
89
42 hits for..//../locale/nl/
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
90/196
WEB
4. Web Server Directory Enumeration
90
Thank you for sharing this information with us. Although this issue does notqualify as a part of our bounty program we appreciate your report. We willfollow up with you on any security bugs or with any further questions we may
have.
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
91/196
WEB
4. Web Server Directory Enumeration
91
Thank you for sharing this information with us. Although this issue does notqualify as a part of our bounty program we appreciate your report. We willfollow up with you on any security bugs or with any further questions we may
have.
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
92/196
WEB
4. Web Server Directory Enumeration
92
My apologies on my previous reply, it was intended for another report.…
After reviewing the issue you have reported, we have decided to award you a
bounty of $500 USD.
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
93/196
WEB
4. Web Server Directory Enumeration
93
My apologies on my previous reply, it was intended for another report.…
After reviewing the issue you have reported, we have decided to award you a
bounty of $500 USD.
Application
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
94/196
WEB
4. Web Server Directory Enumeration
94
There is one thing I'd like to add here. I have not tested this attack for obvious
reasons, but wouldn't the following request have resulted in a Denial of Serviceattack?:
https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/random%00https://instagram.com/?hl=../../../../../../../../../../../../../../../dev/urandom%00
31/08/2015
ppDDOS
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
95/196
WEB
4. Web Server Directory Enumeration
95
Have you already found some time to consider my last response?
18/10/2015
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
96/196
WEB
4. Web Server Directory Enumeration
96
Thanks for being patient. When we considered the initial report, we had alreadyaccounted for the possibility of reading files such as /dev/random and/dev/urandom, and the reward is still $500. The act of reading those files doesnot significantly affect our infra-structure too much as we have systems in placeto deal with unresponsive servers.
29/12/2015
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
97/196
WEB
4. Web Server Directory Enumeration
97
Thanks for being patient. When we considered the initial report, we had alreadyaccounted for the possibility of reading files such as /dev/random and/dev/urandom, and the reward is still $500. The act of reading those files doesnot significantly affect our infra-structure too much as we have systems in placeto deal with unresponsive servers.
29/12/2015
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
98/196
WEB
4. Web Server Directory Enumeration
98
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
99/196
WEB
4. Web Server Directory Enumeration
99
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
100/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
100
{"status": "ok","media": {
"organic_tracking_token":"eyJ2ZXJzaW9uIjozLCJwYXlsb2FkIjp7ImlzX2FuYWx5dGljc190cmFja2VkIjpmYWxzZSwidXVpZCI6IjYxNGMwYzk1MDRlNDRkMWU4YmI3ODlhZTY3MzUxZjNlIn0sInNpZ25hdHVyZSI6IiJ9",
"client_cache_key": "MTExODI1MTg5MjE1NDQ4MTc3MQ==.2","code": "-E1CvRRrxr",(...SNIP...)"media_type": 1,
"pk": 1118251892154481771,"original_width": 1080,"has_liked": false,"id": "1118251892154481771_2036044526"
},"upload_id": "1447526029474"
}
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
101/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
101
Privateaccount
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
102/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
102
Privateaccount
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
103/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
103
Privateaccount
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
104/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
104
GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1Host: i.instagram.com
HTTP/1.1 200 OK(…SNIP…)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
105/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
105
Privateaccount
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
106/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
106
@Kevin
Pk: 3
@MikeyK
Pk: 4
@BritneySpears
Pk: 12246775
@msvigdis
Pk: 12246776
1pJ1DhgBD- 159sxaABXG 16jJhVG8HU iV93JDG8Ue
1kHzf_gBLp 1onIDogBf3 1yFoqcm8D9 XMUVDFm8X80-pshJgBAg 0yi-hjgBaE 1tejnLm8Co VuWAQam8Xv
09pY_OgBPX 0k_oZWABSU 1r59lSm8GX Vj81GHm8W9
0l1GTXABDo 0gboKEgBYr 1qrMPRG8AB UEoTBAG8Sy
0k_apGABDm 0UDrVFgBVJ 1ghW7RG8B2 TfpmTGm8QP
0f5P_6ABOe z-maEDgBWK 1T3KHhm8N2 TWbKzfm8f-
0GEiJKABAC z5HB2BgBbj 1Q2H_WG8LX TVOOKEm8To
0BuHO9ABOx zxeRSGgBaL 1OywdMm8Lf TThPzXm8cm
z-9x5aABEq zSqgd5ABco 1H2JvGG8DL TS3Swlm8dZ
z8QVuXABD6 zQ6VkUABdH 08dtcTG8Hb TOtd3tm8Ve
z4vsirABO4 zJDzvRgBbR 00exOYm8Br TOfRfAm8aZ
z2KV0OgBIE zBrTlsABXv 0yXTU6m8MN TJikVLm8W9
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
107/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
107
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
108/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
108
Private victimaccount
(monitored by attacker)
Public attacker account
(generated right aftermonitor hit)
1yCwjTJRnk 1yCwodpTlC
1yC05mJRnq 1yC0_ApTlL
1yC5PqpRnu 1yC5UopTlX
1yC9nTJRnw 1yC9repTlk
1yDGULpRn9 1yDGaDpTl1
1yDKrvpRoB 1yDKvtJTl8
1yDPCCpRoI 1yDPHVpTl_
1yDTZGpRoO 1yDTdvpTmH
1yDXxRpRoW 1yDX1fJTmP
1yDgdBpRol 1yDgj6JTmb
1yDk1qpRop 1yDk6ypTme1yD6mjpRpT 1yD6sCpTnL
1yEDSqpRpn 1yEDXYJTnU
1yEHpNJRpt 1yEHuTpTnc
1yEQWTpRqD 1yEQb3pTnw
1yEUtCJRqL 1yEUyJJTn5
1yEZEKJRqU 1yEZI3pToI
1yEdaxpRqe 1yEdfEpToO
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
109/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
• These tokens represent identifiers based on the followingalphabet: A-Za-z0-9_- (64 characters in total)
• The first 6 characters are global, incremental identifiers• The 7th character only differs between 2 possibilities and is based
on the “Pk” of each user
• The 8th character is constant per user and is also based on the“Pk” of each user
• The 9th and 10th character are user-specific incrementalidentifiers with the same alphabet as the global identifier (seeabove)
109
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
110/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
• These tokens represent identifiers based on the followingalphabet: A-Za-z0-9_- (64 characters in total)
• The first 6 characters are global, incremental identifiers• The 7th character only differs between 2 possibilities and is based
on the “Pk” of each user
• The 8th character is constant per user and is also based on the“Pk” of each user
• The 9th and 10th character are user-specific incrementalidentifiers with the same alphabet as the global identifier (seeabove)
110
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
111/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
Entropy: 64^6 = 68.719.476.736 possibilities
• The 7th character only differs between 2 possibilities and isbased on the “Pk” of each user
• The 8th character is constant per user and is also based on the“Pk” of each user
Final entropy: 2 * 64^4 = 33.554.432 possibilities
Feasible!
111
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
112/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
112
After reviewing the issue you have reported, we have decided to award you abounty of $1000 USD.
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
113/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
113
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
114/196
WEB + MOBILE
5. Private Account Shared Pictures Token Entropy
114
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
115/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
115
GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1Host: i.instagram.comUser-Agent: Instagram 7.10.0 Android (19/4.4.4; 320dpi; 768x1184; LGE/google;Nexus 4; mako; mako; en_US)
Cookie:sessionid=IGSC0098a4bee11b593953fd4a3fe0695560f407a103d8eef9f5be083ff21e186673:PEVejQeSkS2p8WYxAEgtyUWdXz9STvKM:{"_token_ver":1,"_auth_user_id":2036044526,"_token":"2036044526:7DcRpg1d0ve5T0NkbToN5yVleZUh0Ifh:571e05df8ecd8de2efc47dca5f222720233234f6f0511fb20e0ad42c1302ea27","_auth_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last_refreshed":1447525940.04528,"_platform":1}
HTTP/1.1 200 OK(…SNIP…)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
116/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
116
GET /api/v1/media/1118251892154481771_2036044526/permalink/ HTTP/1.1Host: i.instagram.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Cookie:sessionid=IGSCffa96a73743adba6c93194ae05041159e0cf6ede2627ae3735c3aa9079cfe853:EasK95PNVAy5CUCA8RnhXrFsCy6I6S5R:{"_token_ver":1,"_auth_user_id":2036044526,"_token":"2036044526:QTKFc7soS0BHa61aqjAmoqLQ3B3hDkLd:d567a7909eb6db0bc766c5f1f168ae2c5e3086aae93c67273cda175933d96162","_auth_user_backend":"accounts.backends.CaseInsensitiveModelBackend","last
_refreshed":1447628626.205864,"_platform":4}
HTTP/1.1 200 OK(…SNIP…)
{"status":"ok","permalink":"https:\/\/instagram.com\/p\/-E1CvRRrxr\/"}
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
117/196
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
118/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
118
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
CSRF
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
119/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_idUsertags Feed Authorization Bypass
119
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
120/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
120
O
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
121/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
a) Find Private Account pictures image_id
b) Find permalink of Shared Private Account picture
121
After reviewing the issue you have reported, we have decided to award you abounty of $1000.
WEB MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
122/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
122
WEB MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
123/196
WEB + MOBILE
6. Private Account Shared Pictures CSRF
123
GETinstead ofPOST
CSRF
attack surface
WEB MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
124/196
WEB + MOBILE
7. Email Address Account Enumeration
124
WEB MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
125/196
WEB + MOBILE
7. Email Address Account Enumeration
125
WEB MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
126/196
WEB + MOBILE
7. Email Address Account Enumeration
126
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
127/196
WEB + MOBILE
7. Email Address Account Enumeration
127
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
128/196
WEB + MOBILE
7. Email Address Account Enumeration
128
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
129/196
WEB + MOBILE
7. Email Address Account Enumeration
129
After reviewing the issue you have reported, we have decided to award you abounty of $750 USD.
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
130/196
WEB + MOBILE
7. Email Address Account Enumeration
130
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
131/196
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
132/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
132
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
133/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
133
Spot the difference
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
134/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
134
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
135/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
135
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
136/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
136
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
137/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
137
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
138/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
138
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
139/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
139
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
140/196
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
141/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
141
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
142/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
142
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
143/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
143
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
144/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
a. Unconfirmed Email Address Reset to Default
144
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
145/196
WEB + MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
145
User Email address(es)victim instagrampentesting1@gmail.com
attacker Instagrampentesting2@gmail.comInstagrampentesting3@gmail.com
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
146/196
WEB + MOBILE
146
Scenario: Assume temporary access for an attacker to victim session
Man-in-the-Middle(before SSL Pinning)
Physical access tounlocked phone
Cross-site ScriptingVulnerability
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
147/196
WEB + MOBILE
147
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
148/196
WEB + MOBILE
148
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
149/196
WEB + MOBILE
149
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
150/196
WEB + MOBILE
150
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
151/196
WEB + MOBILE
151
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
152/196
WEB + MOBILE
152
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
153/196
WEB + MOBILE
153
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
154/196
WEB + MOBILE
154
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
155/196
WEB MOBILE
155
Victim Attacker
Email Instagrampentesting1@gmail.com Instagrampentesting2@gmail.com
Reclaim link https://instagram.com/accounts/disavow/xjo94i/
OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz
FAZ21haWwuY29t/
https://instagram.com/accounts/disavow/xjo94i/
TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
AZ21haWwuY29t/
Currently ownsvictim account
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
WEB + MOBILE
Victim
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
156/196
WEB MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
156
WEB + MOBILE
Victim
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
157/196
WEB MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
157
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
158/196
WEB MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
158
Currently ownsvictim account
Victim Attacker
Email Instagrampentesting1@gmail.com Instagrampentesting2@gmail.com
Reclaim link https://instagram.com/accounts/disavow/xjo94i/
OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz
FAZ21haWwuY29t/
https://instagram.com/accounts/disavow/xjo94i/
TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
AZ21haWwuY29t/
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
159/196
WEB MOBILE
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
159
WEB + MOBILE
Attacker
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
160/196
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
160
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
161/196
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
161
Wins!
Victim Attacker
Email Instagrampentesting1@gmail.com Instagrampentesting2@gmail.com
Reclaim link https://instagram.com/accounts/disavow/xjo94i/
OyYT1kWz/aW5zdGFncmFtcGVudGVzdGluZz
FAZ21haWwuY29t/
https://instagram.com/accounts/disavow/xjo94i/
TmQBFjzk/aW5zdGFncmFtcGVudGVzdGluZzJ
AZ21haWwuY29t/
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
162/196
8. Account Takeover via Change Email Functionality
b. Reclaim Email Address Link Invalidation
162
After reviewing the issue you have reported, we have decided to award you abounty of $2000 USD.
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
163/196
8. Account Takeover via Change Email Functionality
163
WEB + MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
164/196
8. Account Takeover via Change Email Functionality
164Mail to wrongemail address
Allow chaining of“secure account”
links
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
165/196
9. Private Account Users Following
165
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
166/196
9. Private Account Users Following
166
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
167/196
9. Private Account Users Following
167
GET /api/v1/discover/su_refill/?target_id=2036044526 HTTP/1.1Host: i.instagram.comConnection: Keep-Alive
Cookie:sessionid=IGSCd064c22cd43d17a15dca6bc3a903cb18e8f9e292a859c9d1289ba268103ee563%3A1WJvjHstqAnPj0i5dcjVRpgcn3wCRQgk%3A%7B%22_token_ver%22%3A1%2C%22_auth_user_id%22%3A2028428082%2C%22_token%22%3A%222028428082%3AYeZzCYWQLGD8D7d3NzFIbBiWlYJVVa7G%3A078ae8d72b72846a6431945fd59c38f1b04b8f93dd6ec4b20165693e65b21915%22%2C%22_auth_u
ser_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22%2C%22last_refreshed%22%3A1441031445.81182%2C%22_platform%22%3A1%7D; ds_user=pentestingvictim
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
168/196
9. Private Account Users Following
168
HTTP/1.1 200 OK(…SNIP…)
{"status": "ok","items": [{
"caption": "","social_context": "Based on follows","user":{
"username": "springsteen","has_anonymous_profile_picture": false,"profile_pic_url": "http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-
xfa1\/t51.2885-19\/11370983_1020871741276370_1099684925_a.jpg","full_name": "Bruce Springsteen",
"pk": "517058514","is_verified": true,"is_private": false
},"algorithm": "chaining_refill_algorithm","thumbnail_urls": ["http:\/\/scontent-ams2-1.cdninstagram.com\/hphotos-xfa1\/t51.2885-
15\/s150x150\/e35\/11373935_872054516217170_419659415_n.jpg?"],
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
169/196
9. Private Account Users Following
169
{"caption": "","social_context": "Based on follows","user":{
"username": "pentesttest","has_anonymous_profile_picture": true,"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg","full_name": "rest","pk": "1966431878","is_verified": false,"is_private": true
},"algorithm": "chaining_refill_algorithm","thumbnail_urls": [],
"large_urls": [],"media_infos": [],"media_ids": [],"icon": ""
}]}
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
170/196
9. Private Account Users Following
170
{"caption": "","social_context": "Based on follows","user":{
"username": "pentesttest","has_anonymous_profile_picture": true,"profile_pic_url": "http:\/\/images.ak.instagram.com\/profiles\/anonymousUser.jpg","full_name": "rest","pk": "1966431878","is_verified": false,"is_private": true
},"algorithm": "chaining_refill_algorithm","thumbnail_urls": [],
"large_urls": [],"media_infos": [],"media_ids": [],"icon": ""
}]}
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
171/196
9. Private Account Users Following
171
After reviewing the issue you have reported, we have decided to award you abounty of $2,500 USD.
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
172/196
9. Private Account Users Following
172
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
173/196
9. Private Account Users Following
173
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
174/196
10. Steal Money Through Premium Rate Phone Numbers
174
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
175/196
10. Steal Money Through Premium Rate Phone Numbers
175
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
176/196
10. Steal Money Through Premium Rate Phone Numbers
176
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
177/196
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
178/196
10. Steal Money Through Premium Rate Phone Numbers
178
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
179/196
10. Steal Money Through Premium Rate Phone Numbers
179
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
180/196
10. Steal Money Through Premium Rate Phone Numbers
180
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
181/196
10. Steal Money Through Premium Rate Phone Numbers
181
This is intentional behavior in our product. We do not consider it a securityvulnerability, but we do have controls in place to monitor and mitigate abuse.
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
182/196
10. Steal Money Through Premium Rate Phone Numbers
182
This is intentional behavior in our product. We do not consider it a securityvulnerability, but we do have controls in place to monitor and mitigate abuse.
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
183/196
10. Steal Money Through Premium Rate Phone Numbers
183
This is intentional behavior in our product. We do not consider it a securityvulnerability, but we do have controls in place to monitor and mitigate abuse.
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
184/196
10. Steal Money Through Premium Rate Phone Numbers
184
1 account 100 accounts
$2 / h $200 / h
$48 / day $4.800 / day
$1.440 / month $144.000 / month
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
185/196
10. Steal Money Through Premium Rate Phone Numbers
185
Hello again! We'll be doing some fine-tuning of our rate limits and work on theservice used for outbound calls in response to this submission, so this issue willbe eligible for a whitehat bounty. You can expect an update from us again whenthe changes have been made. Thanks!
...
After reviewing the issue you have reported, we have decided to award you abounty of $2000 USD.
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
186/196
10. Steal Money Through Premium Rate Phone Numbers
186
MOBILE
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
187/196
10. Steal Money Through Premium Rate Phone Numbers
187
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
188/196
CONCLUSION
188
CONCLUSION
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
189/196
189
# Vulnerability Category Bounty
1 Instagram.com Subdomain Hijacking on Local Network Infrastructure $0
2 Employee Email Authentication Brute-Force Lockout Infrastructure $0
3 Public Profile Tabnabbing Web $0
4 Web Server Directory Enumeration Web $500
5 Private Account Shared Pictures Token Entropy Hybrid $1000
6 Private Account Shared Pictures CSRF Hybrid $1000
7 Email Address Account Enumeration Hybrid $750
8 Account Takeover via Change Email Functionality Hybrid $20009 Private Account Users Following Mobile $2500
10 Steal Money Through Premium Rate Phone Numbers Mobile $2000 + 1
Total $9750 + 1
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
190/196
CONCLUSION
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
191/196
191
46%
39%
15%
SDLC Mapping Summary
Development (6)
Design (5)
Maintenance (2)
CONCLUSION
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
192/196
192#20/152
Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks
CONCLUSION
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
193/196
193#3/13
Facebook Hall of Fame: https://www.facebook.com/whitehat/thanks
CONCLUSION
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
194/196
194
Hunting Reporting Disclosing
CONCLUSION
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
195/196
195
# Vulnerability Category Bounty
11 XXXX Mobile ?
12 XXXX Mobile ?
13 XXXX Mobile ?
14 XXXX Web ?
15 XXXX Infrastructure ?Total ?
THANK YOU! ANY QUESTIONS?
8/19/2019 10 Interesting Vulnerabilities in Instagram Arne Swinnen
196/196