lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <FE930A08-3DDF-40C6-A940-C3E6466C4093@gmail.com>
Date: Wed, 11 Jul 2012 14:10:55 +0200
From: sebas <s.guerrero0@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Vulnerability on Instagram application
	(Friendship Vulnerability)

=================================================================
Vulnerability on Instagram application (Friendship Vulnerability)
- Original release date: 
- Last revised: 
- Discovered by: Sebastián Guerrero Selma
- Severity: 5
=================================================================

I. VULNERABILITY
-------------------------
Instagram lack of control on authorization logic allows an user
to add himself as a friend of any user on Instagram social network

II. BACKGROUND
-------------------------
Instagram is a free photo sharing program launched in October 2010 
that allows users to take a photo, apply a digital filter to it, and
then share it on a variety of social networking services, including 
Instagram's own. A distinctive feature confines photos to a square 
shape, similar to Kodak Instamatic and Polaroid images, in contrast 
to the 4:3 aspect ratio typically used by mobile device cameras.

Instagram was initially supported on iPhone, iPad, and iPod Touch; 
in April 2012, the company added support for Android camera phones 
running 2.2 (Froyo) or higher. It is distributed via the iTunes App 
Store and Google Play.

III. DESCRIPTION
-------------------------
The mobile application of Android & iPhone is affected by a remote
vulnerability due the lack of control on the logic applied to
authorization feature.

An attacker can perpetrate a brute force attack in the context of
user application and add himself as a friend of all the users on
Instagram, being possible in this way to get access to private 
albums and profile information.

IV. POC
-------------------------
http://imgur.com/aZccK

V. BUSINESS IMPACT
-------------------------
An attacker can execute a brute force attack in a targeted
user's account, this can leverage to steal user private pictures.

VI. SYSTEMS AFFECTED
-------------------------
Instagram

VII. SOLUTION
-------------------------
Not fixed

VIII. REFERENCES
-------------------------
http://www.instagram.com
http://blog.seguesec.com
http://twitter.com/0xroot

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------

XI. DISCLOSURE TIMELINE
-------------------------
July    10, 2012: Discovered by Sebastián Guerrero Selma
July    10, 2012: Vendor contacted including PoC.


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Sebastián Guerrero Selma accepts no responsibility for any damage
caused by the use or misuse of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ