Instagram HACKED! Researcher Hacked into Instagram Server

Share it:
Yup! You read write, hacker had accessed into the Instagram server and get into almost everything.

A  senior security researchers, Wesley Weinberg at Synack have discovered a series of critical security vulnerability on one of the instagram server which leads to access several sensitive data on the server, that includes -
  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions
Weinberg reported the security issues to Facebook team as a part of bug bounty program, but instead of giving a reward to Weinberg, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Weinberg have found a potentially vulnerable server located at sensu.instagram.com, where he discovered Remote Code Execution (RCE) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.

Exploiting the vulnerability, Weinberg was able to read the database containing login details, including credentials, of Instagram and Facebook employees.
Although the password were encrypted with bcrypt , but was easy to crack it as some of them were too weak like changeme, password, instagram etc.

After discovering the vulnerability Weinberg tried to read the configuration file from the server, and luckily one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram's Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.

With this information Weinberg had almost everything about instagram server that includes -
  • Instagram's source code
  • SSL certificates and private keys (including for instagram.com and *.instagram.com)
  • API keys that are used for interacting with other services
  • Images uploaded by Instagram users
  • Static content from the instagram.com website
  • Email server credentials
  • iOS/Android app signing keys
  • Other sensitive data
Weinberg reported the security issues to Facebook team but social giant had end up with legal action against researchers, as social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

After some more discussion (which can be read at Weinberg blog) Facebook promised to reward with $2,500 for his RCE finding on Instagram server.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.
Share it:

Bug Bounty

Instagram

News

Post A Comment:

0 comments:

Follow by Email