Facebook has closed brute force authentication holes that would have allowed the hijacking of some 20 million Instagram accounts.
Researcher Arne Swinnen was poking around in the service’s password reset processes and found that about 4% of Instagram accounts could be rather easily compromised. He reported the issues to Instagram via the Facebook bug bounty program; and then Facebook fixed the issues within 24 hours.
Swinnen, meanwhile, was paid a none-too-shabby $5,000 bounty.
“Given the combination of easy user enumeration—guessing valid user IDs—and evadable password guessing rate limiting means that attackers could have hijacked thousands of Instagram accounts for the purpose of spamming and phishing attacks, undetected,” Tod Beardsley, security research manager at Rapid7. “Because Facebook and Swinnen worked together to identify and fix the rate limiting issues, Facebook gets to tell a positive story of better security moving forward.”
The problem came to light after Swinnen, who has found Instagram flaws in the past, logged into one of his test accounts using valid credentials. From there, he was immediately redirected to a page asking for additional account verification, probably due to inactivity. The problem is that the page was actually accessible without being authenticated, and it contained his Instagram account’s unique user ID. It meant that an attacker could get to the account verification page by skipping the credentials piece of things, as long as he or she had the account ID name.
One of the aspects of the verification page allowed the user to update the email address of the temporary locked account.
“Once an attacker could set the email address linked to an Instagram account, he/she could perform a password reset via email and gain full access to it,” Swinnen explained. While this carries a big security impact, only 0.17% accounts were found to be affected in a one million range.
The other option is to update the account’s phone number and go on to verify the account: This was found to be valid for 3.88% of the accounts.
“This case was the most troublesome, as an attacker could on one hand gather sensitive user information (pre-filled phone number in some cases), and on the other hand simply update the phone number linked to the victim Instagram account,” he explained. “After successfully linking a new phone number, an attacker could perform the ‘reset password via SMS’ scenario and gain complete access to the account.”
He added that a quick manual verification found that that these were mostly human accounts which had been inactive for a couple of weeks, of which many had a good amount of followers on Instagram.
The fix was simple: enforcing authentication on the pages that allow to update profile information such as email address and/or phone number.
And, of course, the best passwords should be as long as possible, consisting of a series of purely random characters, and saved in a password manager such as Keepass, Onepassword or Lastpass, Beardsley noted.
“While many sites limit password length to 10 or 12 characters, Instagram appears to allow extremely long passwords (over 40 characters), so users can take advantage of this to create passwords which are not guessable even in the face of a rate unlimited attack like the one described by Swinnen,” he said.
Photo © AliceNoir