The following article was written by viaForensics researcher Sebastiàn Guerrero (@0xroot) about his discovery and reporting of a security vulnerability in Instagram, and the subsequent patching of the vulnerability by the Facebook security team.
explosm comic

Introduction

Instagram is an online photo-sharing and social networking service that enables its users to take pictures, apply digital filters to them, and share them on a variety of social networking services, such as Facebook or Twitter. The purpose of this article is to show a vulnerability recently found in the “Photo Mapî service used by the application. This vulnerability was quickly fixed by the Facebook security team after it was discovered and reported. The associated timeline was as follows:

  • May 7th, 2013 – Vulnerability discovered by Sebastiàn Guerrero
  • May 7th, 2013 – First contact with Facebook
  • May 8th, 2013 – Open a ticket to research the issue
  • May 8th, 2013 – Vulnerability fixed and update deployed into the market
  • May 28th, 2013 – Confirmation received from Facebook to publish this write-up

In appreciation, they put my name in their ‘Hall of Fame‘ and delivered a monetary reward for my research.

Photo Map Service

The service in question is a new feature that allows users to tag and share their pictures with other users. To give you an idea of the service, it looks like this:

A user identified in the system can edit his own images but can’t perform any action against any other user’s pictures shared on his respective Photo Map service. As you can see on the image below, the app has behaved as expected. At this point I was wondering how it might be possible for an attacker to have access to those pictures and perform some undesired action without a user’s knowledge. Thinking about it, I came to a solution to circumvent this mechanism and attack any user registered into the service, this is how I found: ‘The hipster’s vulnerability

The Hipster’s Vulnerability

For the tests I’ve created two user accounts, oxrootest with the user ID 367915196 and the user oxrootest2 with the user ID 370718247. If we initiate the login process using the first user (who never took a picture before), after accessing the Photo Map service, the following message appears.

“A fun new way to view photos on a map. You photo map is empty because you have not geotagged any photos. Select ‘Add your photo to the map’and you will see pictures to share here.” Intercepting the request sent by the application when I tried to get access to the resource, and got the following:


GET /api/v1/maps/user/367915196/ HTTP/1.1  
Host: instagram.com 
Proxy-Connection: keep-alive 
Accept-Encoding: gzip, deflate Accept: 

As you can see the user ID is embedded in the request made by the app for the resource that has been solicited, among other parameters. One of them caught my attention immediately, ds_user_id. What could possibly go wrong if an attacker was able to intercept this request? So I took this and modified the request, supplying another user ID for both cases, the parameter ds_user_id and the value embedded into the URL. To my surprise,I was able to circumvent the security mechanism and get access to the tagged pictures of any user.

Being identified in the system as oxrootest, I repeated the same steps, this time using the user ID value assigned to my other test account, oxrootest2. Automatically, new pictures tagged appeared suddenly in the service. Along with these photos was a button that enabled me to edit those tags, even through I wasn’t the owner of those pictures.

Seduced by curiosity, I followed step by step the instructions provided on the screen. I came, I saw, I conquered deleted.

After deleting the photos, when I logged in to Instagram as the user oxrootest2, I saw a devastating scenario: all my nerd pictures had gone.

What’s the real scope of this attack?

The scope of this vulnerability went beyond photos. It opens the door to performing a brute force attack, allowing the attacker to get a list of all the users that are using this service and delete their tagged pictures, one-by-one. We already know the request sent by the application to the server when we want to get access to the service:


GET /api/v1/maps/user/367915196/ HTTP/1.1 
Host: instagram.com 
Proxy-Connection: keep-alive 
Accept-Encoding: gzip, deflate 
Accept: 

If we automated the user ID to be automatically generated while we are performing a brute force attack and intercept the answer sent by the browser we will be able to assume the following:

  • Response size less than 869 bytes – The user has not tagged any picture.
  • Response size greater than 869 bytes – Mmmmmhƒ I LIKE

In the same way, if we know the ID of a particular user we could perform an attack aimed against that user, as we explained earlier. I also recorded a proof of concept video for this vulnerability.

PS: No hipster was damaged while I was performing this research.

What to read next:
Sebastián Guerrero Selma

Sebastian Guerrero

linkedin icon twitter icon

Senior Mobile Security Analyst at NowSecure

Sebastián's work includes mobile and web security research, developing tools and techniques for assessing vulnerabilities and performing post-exploitation of mobile devices and apps, and reverse engineering embedded and mobile platforms.