Affected app: Instagram for Android Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) affected.
# Summary
After the Instagram iOS vulnerability discovered last year [1], the app's HTTP
API has been extended with a cryptographic
authentication for changes like "likes" and deletes. However, the
implementation of this authentication is flawed in two ways,
making it possible to "like" or delete pictures in the name of another user,
once his credentials have been sniffed over plain-text
HTTP.
# Vulnerability 1: Partial Cryptographic Authentication
When a user issues a "like" or "delete" command from the app, an HTTP POST
request is made to the instagram server:
POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
Host: instagram.com
[more headers stripped]
signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%
7D&ig_sig_key_version=4&src=timeline&d=0
The POSTed data is a set of multiple form-urlencoded parameters, with the first
one being most interesting. The signed_body
parameter is a cryptographic signature, concatenated with a JSON string
('{"media_id":"528086397952388638_263262746"}' in the
example above). In that string, the media ID from the POST URL (the internal
identifier of a picture) is encoded again, and the
signature is created over exactly this JSON string.
Because only the media_id is authenticated, but not the action to be performed,
it is possible for an attacker who can sniff the
credentials cookie and a "Like" API message to forge a "Delete" message for the
same image, re-using the authentication signature.
Of course, this only works in the unlikely case where users "like" their own
image over a public network.
# Vulnerability 2: Bad Key Choice
However, the secret key used for this authentication signature is hard-coded in
the app. That means an attacker who can extract the
key from the app is able to forge the cryptographic signature for any media_id
desired. Once an attacker gains the authentication
cookie (which is transmitted over plaintext HTTP by the app), he can delete all
the pictures posted by the user so far, and also
"like" or "un-like" any pictures available for view.
The signature key is stored in an obfuscated fashion in a combination of native
and Java code. It is obtained by calling
NativeBridge.getInstagramString("[snipped]") from the
RequestUtil.generateSignature(String request) method. Afterwards, an
HMAC-SHA256 signature is generated with the key over the request string. We are
not providing proof-of-concept code for this
vulnerability because making the static signature key public would allow
scripted access to the Instagram API.
# Suggested Countermeasures
We suggest switching all communications from the app to the API server to use
HTTPS, like already done by most other major
providers. If this is not feasible, we suggest extending the cryptographic
authentication as follows:
1. Use a signing key that is specific to the given user and not known to
third parties, i.e. downloaded via HTTPS or at least
derived from the users username+password
2. Add a sequence number into the signed_body field
3. Add the POST URL or some other encoding of the action to perform into
the signed_body, and validate it on the server
# Timeline
* 2013-07-21 We have discovered the vulnerability.
* 2013-07-23 The vendor was contacted via e-mail, there was no reply yet.
* 2013-08-07 Instagram 4.1 was published to Google Play, the issue still
unfixed.
* 2013-08-26 Publication of the vulnerability.
# Contact
Please contact Georg Lukas <lu...@rt-solutions.de> from rt-solutions.de GmbH
[2]with any further questions regarding the
vulnerability.
[0] PDF version of this document:
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20App%20Security%20Vulnerability.pdf
[1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue
[2] rt-solutions.de GmbH http://www.rt-solutions.de/
--
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln
Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de
smime.p7s
Description: S/MIME cryptographic signature
