The Belgian security researcher Arne Swinnen discovered two security flaws affecting the Instagram platform that allowed attackers to launch brute force attacks against its accounts.
The bug hunter received a $5,000 bounty from Facebook for its discovery after finding two security flaw that could have allowed hackers to brute-force Instagram account passwords.
The expert explained that the issue affected both the official Android application and the registration page on instagram.com.
“Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force passwords of user accounts. Combined with user enumeration, a weak password policy, no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones. Facebook fixed both issues and awarded a combined bounty of $5.000.” Swinnen wrote in a blog post.
In December, Swinnen reported to Facebook the first flaw in the Instagram platform, it could have been exploited to launch a brute force attack against the authentication domain used by the Instagram app for Android.
It was incredibly easy to hack an Instagram account, the expert used the Burp Intruder tool to test the authentication process and discover that attacker was allowed 1,000 guesses from a single IP address before displaying an alert message “username not found,” although the user obviously still existed.
The message is visible until the 2,000th attempt, but from there on the system started providing one reliable response (i.e. the password is correct/incorrect) and one unreliable response (i.e. user not found).
A similar authentication process clearly allows a brute-force attack as explained the expert:
“This allowed a reliable brute-force attack since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received. The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt.”
The attacker can have uses a simple script that replayed the unreliable responses until a reliable response was provided by the platform. Swinnen used a script that allowed him to test 10,001 passwords against an Instagram account.
Another proof of the lack of an efficient authentication process was the fact that the attacker could have logged into the compromised account from the same IP address used to launch the brute force attack.
In February, Swinnen reported a second flaw in the Instagram platform that affected the registration page from the official website.
The bug hunter registered a test account and intercepted the request generated during the procedure and sent to Instagram. Swinnen sent the same request to the server and received a response containing the message “Those credentials belong to an active Instagram account.”
He also noticed the absence of limitation in the number of requests that an attacker can send to Instagram, a circumstance that allowed the attacker to create a script that sent out requests with various passwords for a targeted username.
The script could send request until it received a response contained the message saying that the credentials belonged to an active account, in this case, the password was correct otherwise the platform replied with a “fail” status.
Facebook company, who owns Instagram, improved the authentication process by limiting the number of login attempts and forcing users in the adoption of stronger passwords.
The company awarded Swinnen a bounty of $5,000 for the two vulnerabilities.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – Instagram, hacking)