ID HACKAPP:COM.INSTAGRAM.ANDROID.APK
Type hackapp
Reporter Hackapp.org
Modified 2017-06-01T20:13:42
Description
HackApp vulnerability scanner discovered that application Instagram published at the 'play' market has multiple vulnerabilities.
{"id": "HACKAPP:COM.INSTAGRAM.ANDROID.APK", "bulletinFamily": "software", "title": "Instagram - Customized SSL, Exported ContentProvider, Redefined SSL Common Names verifier vulnerabilities", "description": "HackApp vulnerability scanner discovered that application Instagram published at the 'play' market has multiple vulnerabilities.", "published": "2017-06-01T20:13:42", "modified": "2017-06-01T20:13:42", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackapp.com/report/f4a76df1f5c5e0d3e815f3f109d784b7", "reporter": "Hackapp.org", "references": ["https://play.google.com/store/apps/details?id=com.instagram.android&hl=en"], "cvelist": [], "type": "hackapp", "lastseen": "2018-08-02T15:59:07", "history": [{"bulletin": {"affectedSoftware": [{"name": "Instagram", "operator": "le", "version": "Varies with device"}], "bulletinFamily": "software", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "HackApp vulnerability scanner discovered that application Instagram published at the 'play' market has multiple vulnerabilities.", "edition": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hackapp": {"apk": "COM.INSTAGRAM.ANDROID.APK", "bugs": [{"description": "The app should be compliant with open source license requirements.", "id": "7c131ac575e5514c27ab60d231f65ba6", "name": "MIT license", "severity": "critical"}, {"description": "Were do they point?", "id": "0ab31a53bc2802ee967828e72b28bc4e", "name": "External URLs", "severity": "notice"}, {"description": "\n\t\t\tCheck certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.\n\t\t\t", "id": "d27bca460457ddfb136aa46db4af03e4", "name": "Customized SSL", "severity": "critical"}, {"description": "This app is looking for root tools.", "id": "75d1a9f625ddcfd22afe01bfb1c5e3e5", "name": "Possible privilege escalation", "severity": "notice"}, {"description": "All items deleted with 'file.delete()' could be recovered.", "id": "c9ff80d96d00d2b48ab410e717cc753e", "name": "Unsafe deleting", "severity": "notice"}, {"description": "WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.", "id": "353c8700b9aed11b3368b947cd97ffe1", "name": "WebView JavaScript enabled", "severity": "medium"}, {"description": "This app uses self defined certificate verifier. If it is not properly configured it could allow attackers to do MITM attacks with their valid certificate without your knowledge.", "id": "2accabf43fffb0269e2470a2a9987656", "name": "Redefined SSL Common Names verifier", "severity": "critical"}, {"description": "WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.", "id": "5f8d1ed2f4cc8d1382eb26eecff8422d", "name": "WebView code execution", "severity": "critical"}, {"description": "Other applications could access the interfaces.", "id": "c4d82a8d823de5c2b48a91340c854051", "name": "Exported components", "severity": "medium"}, {"description": "Function 'Runtime.getRuntime().exec()' is used, please check where variables are come from.", "id": "b0bf00201d0a671fc28a9aa6fb118c85", "name": "Runtime command execution", "severity": "medium"}, {"description": "SD-cards and other external storages have 'worldwide read' policy.", "id": "de71b6a3c2ad296caa43df69c7dfd5c7", "name": "SD-card access", "severity": "medium"}, {"description": "Exported ContentProvider is available to other apps.", "id": "8ba89c16e0bb3222984d0716cda254c9", "name": "Exported ContentProvider", "severity": "critical"}, {"description": "Are you sure these files should be here?", "id": "1395c6e5501aae0a932f4a3f90ff38df", "name": "Suspicious files", "severity": "notice"}, {"description": "Control of WebView context allows to access local files.\n\t\t\t", "id": "c8981206b93502943951b1a67b937d40", "name": "WebView files access", "severity": "medium"}], "icon": "http://lh3.googleusercontent.com/aYbdIM1abwyVSUZLDKoE0CDZGRhlkpsaPOg9tNnBktUQYsXflwknnOn2Ge1Yr7rImGk=w300", "link": "https://play.google.com/store/apps/details?id=com.instagram.android&hl=en", "name": "Instagram", "release": "2017-04-19T00:00:00", "store": "play", "vendor": "Instagram", "version": "Varies with device"}, "hash": "19569986e36adee72a9f836ce96db94aef0733231bec49593acc3eef14c7baba", "hashmap": [{"hash": "b9b3dbb2beafd211f7438233508b12b6", "key": "affectedSoftware"}, {"hash": "635c2b47bbfcc03b1ee7a2f9d955a136", "key": "published"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "3b012aae1848bb95fe11f3cebae83cb0", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "a10cd11d08c2b79823ba25426498db10", "key": "references"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "635c2b47bbfcc03b1ee7a2f9d955a136", "key": "modified"}, {"hash": "49a3c2dfa74eba2a221cc01c69728a3d", "key": "hackapp"}, {"hash": "5953d9c910b05ff46aabf18e1e155348", "key": "href"}, {"hash": "aede81c500d91c46657e1a3c8fb1130b", "key": "title"}, {"hash": "c6a7e8ec91579b1d97fb1eb780e96060", "key": "description"}, {"hash": "96e87ef1fcc8d9d3cdd337488987c423", "key": "type"}], "history": [], "href": "https://hackapp.com/report/f619ba7cd890cc0d8727f69d4118c7a6", "id": "HACKAPP:COM.INSTAGRAM.ANDROID.APK", "lastseen": "2017-04-19T19:23:22", "modified": "2017-04-19T19:58:02", "objectVersion": "1.2", "published": "2017-04-19T19:58:02", "references": ["https://play.google.com/store/apps/details?id=com.instagram.android&hl=en"], "reporter": "Hackapp.org", "title": "Instagram - Customized SSL, Exported ContentProvider, MIT license vulnerabilities", "type": "hackapp", "viewCount": 7}, "differentElements": ["published", "hackapp", "modified", "title", "href"], "edition": 1, "lastseen": "2017-04-19T19:23:22"}], "edition": 2, "hashmap": [{"key": "affectedSoftware", "hash": "b9b3dbb2beafd211f7438233508b12b6"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "c6a7e8ec91579b1d97fb1eb780e96060"}, {"key": "hackapp", "hash": "9b447f79c5fdf29eb990577b71014fa7"}, {"key": "href", "hash": "c38ff9344c4f4d0d70d3277b8b6ba7d9"}, {"key": "modified", "hash": "8f4772461142d3392facd8d4e26dbe99"}, {"key": "published", "hash": "8f4772461142d3392facd8d4e26dbe99"}, {"key": "references", "hash": "a10cd11d08c2b79823ba25426498db10"}, {"key": "reporter", "hash": "3b012aae1848bb95fe11f3cebae83cb0"}, {"key": "title", "hash": "68f54783741e43376b396cb589e3469e"}, {"key": "type", "hash": "96e87ef1fcc8d9d3cdd337488987c423"}], "hash": "a58d58ca9a99b3274aa9fcfec7a9d2d9ad699408ff77c684c10934aacf857265", "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Instagram", "operator": "le", "version": "Varies with device"}], "hackapp": {"apk": "COM.INSTAGRAM.ANDROID.APK", "bugs": [{"description": "Exported ContentProvider is available to other apps.", "id": "efb9c93eee24615c14c2409177c80c3a", "name": "Exported ContentProvider", "severity": "critical"}, {"description": "This app uses self defined certificate verifier. If it is not properly configured it could allow attackers to do MITM attacks with their valid certificate without your knowledge.", "id": "9728a29c9889b30d0c289729195b040b", "name": "Redefined SSL Common Names verifier", "severity": "critical"}, {"description": "Other applications could access the interfaces.", "id": "e3f7677cc24e47ac41c6a8a769e0f178", "name": "Exported components", "severity": "medium"}, {"description": "\n\t\t\tCheck certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.\n\t\t\t", "id": "60d4d24b12e8a1d3bf2472378883f1ec", "name": "Customized SSL", "severity": "critical"}, {"description": "All items deleted with 'file.delete()' could be recovered.", "id": "d703d8b6b2e2b92730318c33933531d5", "name": "Unsafe deleting", "severity": "notice"}, {"description": "Control of WebView context allows to access local files.\n\t\t\t", "id": "97919839fd7d3058e86da719c3758160", "name": "WebView files access", "severity": "medium"}, {"description": "SD-cards and other external storages have 'worldwide read' policy.", "id": "563236b4f8fd65ba0fe992de428db88e", "name": "SD-card access", "severity": "medium"}, {"description": "Were do they point?", "id": "26737d3a5ed6c6a04f4680eec926bb3c", "name": "External URLs", "severity": "notice"}, {"description": "WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.", "id": "84f52b73b2d0e10780ae1961fbb802ed", "name": "WebView JavaScript enabled", "severity": "medium"}, {"description": "Function 'Runtime.getRuntime().exec()' is used, please check where variables are come from.", "id": "bc9014e4309d13bdf9ebde940553c6cd", "name": "Runtime command execution", "severity": "medium"}, {"description": "This app is looking for root tools.", "id": "fe455f53d6634e5ee390cb20bf1963be", "name": "Possible privilege escalation", "severity": "notice"}, {"description": "Are you sure these files should be here?", "id": "0b329a403b9bfb02e2d51286d7b88f7e", "name": "Suspicious files", "severity": "notice"}], "icon": "http://lh3.googleusercontent.com/aYbdIM1abwyVSUZLDKoE0CDZGRhlkpsaPOg9tNnBktUQYsXflwknnOn2Ge1Yr7rImGk=w300", "link": "https://play.google.com/store/apps/details?id=com.instagram.android&hl=en", "name": "Instagram", "release": "2017-05-31T00:00:00", "store": "play", "vendor": "Instagram", "version": "Varies with device"}}
{}
