lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 28 Aug 2013 08:54:35 +0000
From: Georg Lukas <lukas@...solutions.de>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Two Instagram Android App Security Vulnerabilities

Affected app: Instagram for Android
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) affected.

# Summary

After the Instagram iOS vulnerability discovered last year [1], the app's HTTP API has been extended with a cryptographic
authentication for changes like "likes" and deletes. However, the implementation of this authentication is flawed in two ways,
making it possible to "like" or delete pictures in the name of another user, once his credentials have been sniffed over plain-text
HTTP.

# Vulnerability 1: Partial Cryptographic Authentication

When a user issues a "like" or "delete" command from the app, an HTTP POST request is made to the instagram server:

	POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
	Host: instagram.com
	[more headers stripped]

	
signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%
7D&ig_sig_key_version=4&src=timeline&d=0

The POSTed data is a set of multiple form-urlencoded parameters, with the first one being most interesting. The signed_body
parameter is a cryptographic signature, concatenated with a JSON string ('{"media_id":"528086397952388638_263262746"}' in the
example above). In that string, the media ID from the POST URL (the internal identifier of a picture) is encoded again, and the
signature is created over exactly this JSON string.

Because only the media_id is authenticated, but not the action to be performed, it is possible for an attacker who can sniff the
credentials cookie and a "Like" API message to forge a "Delete" message for the same image, re-using the authentication signature.
Of course, this only works in the unlikely case where users "like" their own image over a public network.

# Vulnerability 2: Bad Key Choice

However, the secret key used for this authentication signature is hard-coded in the app. That means an attacker who can extract the
key from the app is able to forge the cryptographic signature for any media_id desired. Once an attacker gains the authentication
cookie (which is transmitted over plaintext HTTP by the app), he can delete all the pictures posted by the user so far, and also
"like" or "un-like" any pictures available for view.

The signature key is stored in an obfuscated fashion in a combination of native and Java code. It is obtained by calling
NativeBridge.getInstagramString("[snipped]") from the RequestUtil.generateSignature(String request) method. Afterwards, an
HMAC-SHA256 signature is generated with the key over the request string. We are not providing proof-of-concept code for this
vulnerability because making the static signature key public would allow scripted access to the Instagram API.

# Suggested Countermeasures

We suggest switching all communications from the app to the API server to use HTTPS, like already done by most other major
providers. If this is not feasible, we suggest extending the cryptographic authentication as follows:

1.	Use a signing key that is specific to the given user and not known to third parties, i.e. downloaded via HTTPS or at least
derived from the user’s username+password
2.	Add a sequence number into the signed_body field
3.	Add the POST URL or some other encoding of the action to perform into the signed_body, and validate it on the server

# Timeline

*	2013-07-21 We have discovered the vulnerability.
*	2013-07-23 The vendor was contacted via e-mail, there was no reply yet.
*	2013-08-07 Instagram 4.1 was published to Google Play, the issue still unfixed.
*	2013-08-26 Publication of the vulnerability.

# Contact

Please contact Georg Lukas <lukas@...solutions.de> from rt-solutions.de GmbH [2]with any further questions regarding the
vulnerability.

[0] PDF version of this document:
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20App%20Security%20Vulnerability.pdf
[1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue
[2] rt-solutions.de GmbH http://www.rt-solutions.de/

-- 
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5633 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ