BugTraq
Two Instagram Android App Security Vulnerabilities Aug 28 2013 08:54AM
Georg Lukas (lukas rt-solutions de)
Affected app: Instagram for Android
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) affected.

# Summary

After the Instagram iOS vulnerability discovered last year [1], the app's HTTP API has been extended with a cryptographic
authentication for changes like "likes" and deletes. However, the implementation of this authentication is flawed in two ways,
making it possible to "like" or delete pictures in the name of another user, once his credentials have been sniffed over plain-text
HTTP.

# Vulnerability 1: Partial Cryptographic Authentication

When a user issues a "like" or "delete" command from the app, an HTTP POST request is made to the instagram server:

POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
Host: instagram.com
[more headers stripped]

signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0
216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%
7D&ig_sig_key_version=4&src=timeline&d=0

The POSTed data is a set of multiple form-urlencoded parameters, with the first one being most interesting. The signed_body
parameter is a cryptographic signature, concatenated with a JSON string ('{"media_id":"528086397952388638_263262746"}' in the
example above). In that string, the media ID from the POST URL (the internal identifier of a picture) is encoded again, and the
signature is created over exactly this JSON string.

Because only the media_id is authenticated, but not the action to be performed, it is possible for an attacker who can sniff the
credentials cookie and a "Like" API message to forge a "Delete" message for the same image, re-using the authentication signature.
Of course, this only works in the unlikely case where users "like" their own image over a public network.

# Vulnerability 2: Bad Key Choice

However, the secret key used for this authentication signature is hard-coded in the app. That means an attacker who can extract the
key from the app is able to forge the cryptographic signature for any media_id desired. Once an attacker gains the authentication
cookie (which is transmitted over plaintext HTTP by the app), he can delete all the pictures posted by the user so far, and also
"like" or "un-like" any pictures available for view.

The signature key is stored in an obfuscated fashion in a combination of native and Java code. It is obtained by calling
NativeBridge.getInstagramString("[snipped]") from the RequestUtil.generateSignature(String request) method. Afterwards, an
HMAC-SHA256 signature is generated with the key over the request string. We are not providing proof-of-concept code for this
vulnerability because making the static signature key public would allow scripted access to the Instagram API.

# Suggested Countermeasures

We suggest switching all communications from the app to the API server to use HTTPS, like already done by most other major
providers. If this is not feasible, we suggest extending the cryptographic authentication as follows:

1. Use a signing key that is specific to the given user and not known to third parties, i.e. downloaded via HTTPS or at least
derived from the user?s username+password
2. Add a sequence number into the signed_body field
3. Add the POST URL or some other encoding of the action to perform into the signed_body, and validate it on the server

# Timeline

* 2013-07-21 We have discovered the vulnerability.
* 2013-07-23 The vendor was contacted via e-mail, there was no reply yet.
* 2013-08-07 Instagram 4.1 was published to Google Play, the issue still unfixed.
* 2013-08-26 Publication of the vulnerability.

# Contact

Please contact Georg Lukas <lukas (at) rt-solutions (dot) de [email concealed]> from rt-solutions.de GmbH [2]with any further questions regarding the
vulnerability.

[0] PDF version of this document:
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20A
pp%20Security%20Vulnerability.pdf
[1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-iss
ue
[2] rt-solutions.de GmbH http://www.rt-solutions.de/

--
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de
0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?10?0??[uV?T? ϯ8Hα¤0
 *?H?÷
0Ê1 0 UUS10U
VeriSign, Inc.10U VeriSign Trust Network1:08U 1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 1 Public Primary Certification Authority - G30
991001000000Z
360716235959Z0Ê1 0 UUS10U
VeriSign, Inc.10U VeriSign Trust Network1:08U 1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 1 Public Primary Certification Authority - G30?"0
 *?H?÷
?0?
?Ý?Ô¹´ù§Øóx?Þ=ÜlÙzÝ$QfÀÇ&Y
¬Â?Ñ3ð?5nÈÞªnNT'ïÄmì ãðD¥WÇ@X£Gqì`öm?È9íþBVßäLIxNv5c6Ýf¼
6£UhÕ¢6 ¬«!&T­?Êà¬Ê­?âøñà`ÿÂu+LÌÚþ??!êºþ>T×ÒYxÛ<nÏ ¸'¡ä¾g?ʠų?ÝÉu?ë0?_£
ÍÙ®x?#é\Û)½­UÈT?cöè¦êÇ7\£)ÙÛ;´×VGJ¯?'ÑÅX?ÁÝöª§£ÚhªmQá¿ek??vÑ
=0
 *?H?÷
?«f×³ºÇ?¶æUÐñ?1ZªÙªF&qí¥­SVbG*Déþ?t ?¹ôM²Ñ_²¶Ò?\³?ÍËÔ§Ù`??
:øÁ7aÊç°Åå?ÚT¦¬1®?Þͬ¸À??nr¤çi?eÄ?<ýyÔ>Oê÷?ÎÍg|Oeÿ??TsÇÿ6÷?-ìÐ^
Oÿ?rÖ¸ñL
&eâD?Ç?ãÝè
Úì¥ ?ih¡O~ákÏAú??¼8Ý°.±k²BÌ?¼ùH"yJ²> tÙjþò(xVyOmPê°µW±7fX#óÜß
?Äï?Õ8`?£KÞ?q,òÛ¶¤ï?î0?B0?* 8«/ÿ®?·Vÿ9Zû]ç0
 *?H?÷
0Ê1 0 UUS10U
VeriSign, Inc.10U VeriSign Trust Network1:08U 1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 1 Public Primary Certification Authority - G30
110901000000Z
210831235959Z0¦1 0 UUS10U
Symantec Corporation10U Symantec Trust Network10U Persona Not Validated1705U.Symantec Class 1 Individual Subscriber CA - G40?"0
 *?H?÷
?0?
?Æì'ýcô;?ÁÓÈÈ??¶¸J??ª\rÊ0
/?A"W0!%?£ô¬*Æ??arv.ìË'? ?7àä?ÚU¦Pü¹\#i?B¡º¯ïù¤É
ñø7²ÆÙ?J®}߸D?º??þØ#OHQ#j`?¨î'/`ß?ò*?<ÌOËú ?¼5öáð?¶óü?Æ{ÚòäÓ?¦Åip´©äVéÛ\ô¦6âkµ*-ܾ»î:°0­_hlƽ???çæ©d-¼80
»?&Ãgff´´wùÀ¡Çrïfâå¹Êàó?w5?ÞÔ°þfqâ8Ën|O@Uë?Ù¨í£?D0?@08+
,0*0(+0?http://pki-ocsp.verisign.com0Uÿ0ÿ0lU
 e0c0a `?H?øE0R0&+http://www.symauth.com/cps0(+
0http://www.symauth.com/rpa04U-0+0) ' %?#http://crl.verisign.co
m/pca1-g3.crl0Uÿ0)U"0 ¤010UVeriSignMPKI-2-970U­ùÃ?r-µ¹(aä¤×`ÕÄ
^0ñU#é0æ¡Ð¤Í0Ê1 0 UUS10U
VeriSign, Inc.10U VeriSign Trust Network1:08U 1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 1 Public Primary Certification Authority - G3??[uV?T? ϯ8Hα¤0
 *?H?÷
?֏ÁÚ??ò³lMX/ºQ]tÁFèø{?Ö@ñïÿ2º?kÀ4C?¤?æ¤ð]H3b??aþ#?"?`?+?eI?Ä
¢8$H¥\¥PKhéb"§?è?"n=[»BLuG4V ø½?<ó\»Ò?pTpbMïѾH,^ì?k?ð=á%'(,àv³ýåb?Ò?=_+®û\·ecË4vC?Ö??«n­?Á?F
'ÿ5Þ#CÜ_2ùÊ)ïÂR0õ?ݹø:% ?hò¹!?tfá?92ò-Ö*¨ÉÞÙOã Å¥V¶?ÞÓ?­ø{%¾d|. ºp,øùuâtMm?0?É0?± * Ñön?ìØ?V?"æ?²G0
 *?H?÷
0¦1 0 UUS10U
Symantec Corporation10U Symantec Trust Network10U Persona Not Validated1705U.Symantec Class 1 Individual Subscriber CA - G40
130218000000Z
140219235959Z0Ç1.0,U %Persona Not Validated - 13611923503031$0" *?H?÷
 lukas (at) rt-solutions (dot) de1 [email concealed]0
U S/MIME10U Persona Not Validated10U Symantec Trust Network10U
Symantec Corporation0?"0
 *?H?÷
?0?
?©V£ÿB½¸ð(Êei?ßG?í\­?ÝéæVÔ???¸ÞeYX`%d8x~͸¯ñ2 Ó2ÛñÀ¦Ô?,0¦H6\®XH??pÆû¢ß?6bþQ??½?þÀ1ÿ>¾J_×_EÔåB?Kæ=ê2À?'
ͦ}?ÉÌ?£¶ÖB±Bñü&b6)kíw¹(ä?£k¨*eª @G×éÇ;ÈdÊ?GÜpVÐãÚw? !mXé?¦·oCÎ|s?J<ýÕñ¯ (0dzí*@?+¡»?8?²| Qç<n2º%O¬S?Eú;v?®,*»nîÏó(|7Å?É??wW£?Î0?Ê0 Uÿ00Uÿ 0 U%ÿ0++0UÇËÄ줱?N|'²ò+÷ÜIN0 U0lukas (at) rt-solutions (dot) de0 [email concealed]U#0?­ùÃ?r-µ¹(aä¤×`ÕÄ
^0?++?0?0?+0??ldap://directory.verisign.com
/CN%20%3D%20Symantec%20Class%201%20Individual%20Subscriber%20CA%20-%20G4
%2C%20OU%20%3D%20Persona%20Not%20Validated%2C%20OU%20%3D%20Symantec%20Tr
ust%20Network%2C%20O%20%3D%20Symantec%20Corporation%2C%20C%20%3D%20US?cA
Certificate;binary0]UV0T0R P N?Lhttp://pki-crl.symauth.com/ca_561c1
03690c97a69247a0ef071ac81af/LatestCRL.crl0lU e0c0a `?H?øE0R0&+http://www.symauth.com/cps0(+
0http://www.symauth.com/rpa0*
`?H?øE0`?H?øE?³109220
 *?H?÷
?t[~?-F⠐O"?ªUA__E´´Ý¥¨rQTïûð·L¶×e?rk ö?A)í?IZU¢{ Q???]2qOva:???³Ï2:Zð?S?P-ñ?k«!©hÔvÜEfñ9dS.W@ïµvgÕ¼]3O#q¬¸¯ît$â?öÎ
¼9^( ?'±s$9;eFNl~± Ñ?9ñ;vºÚ2? »ìÔ¶w˼¿¨?eAÄ? ò?|ª%+|ð¤?ñì*-~ÔÓf¨P?Qåt¢(lÅf¸íÕSq1Gi<ýñ?Åa{ê ÔRE³æÊÝþËdÂ*
ö[1??0??0»0¦1 0 UUS10U
Symantec Corporation10U Symantec Trust Network10U Persona Not Validated1705U.Symantec Class 1 Individual Subscriber CA - G4* Ñön?ìØ?V?"æ?²G0 + ?«0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
130828085435Z0# *?H?÷
 15ÌIi¨dèÉ?dÑ}ÂöÉl$¥¡0« *?H?÷
 10?0  `?He*0  `?He0
*?H?÷
0  `?He0*?H?÷
?0+0
*?H?÷
@0
*?H?÷
(0+0  `?He0  `?He0  `?He0Ì +?71¾0»0¦1 0 UUS10U
Symantec Corporation10U Symantec Trust Network10U Persona Not Validated1705U.Symantec Class 1 Individual Subscriber CA - G4* Ñön?ìØ?V?"æ?²G0Î *?H?÷
  1¾ »0¦1 0 UUS10U
Symantec Corporation10U Symantec Trust Network10U Persona Not Validated1705U.Symantec Class 1 Individual Subscriber CA - G4* Ñön?ìØ?V?"æ?²G0
 *?H?÷
?>?ûh?­+ÒRh¡-~¼Yù?Q Çf"æ?Í??è9ýåÅêÖEp­§ ãCª??ç?ü*zæüý«¶7=
Z=S?¬øGý£q"ÊF®§;?ní ½ÃÖ|]æÀ
¯ÓÕGqdð??á?f?ÉEâè¼N?!Bw Z µ?þû D/?ù¶hèt©/½N×bA3û¢Àä /Ãä±û¥?­AîþHæ
??ûN_
»?kVn?©BÛË(nÄ<<
äù?9|Óã\?¼?ùGºâ.á»Ó@ Az§Ý´?L®
îL^ø?Ǫßù_×k+w&]?+ü

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus