Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Instagram Crypto Issue / Hardcoded Key

🗓️ 28 Aug 2013 00:00:00Reported by Georg LukasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

Instagram Android Crypto Authentication Issu

Code
`Affected app: Instagram for Android  
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) affected.  
  
# Summary  
  
After the Instagram iOS vulnerability discovered last year [1], the app's HTTP API has been extended with a cryptographic  
authentication for changes like "likes" and deletes. However, the implementation of this authentication is flawed in two ways,  
making it possible to "like" or delete pictures in the name of another user, once his credentials have been sniffed over plain-text  
HTTP.  
  
# Vulnerability 1: Partial Cryptographic Authentication  
  
When a user issues a "like" or "delete" command from the app, an HTTP POST request is made to the instagram server:  
  
POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n  
Host: instagram.com  
[more headers stripped]  
  
  
signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%  
7D&ig_sig_key_version=4&src=timeline&d=0  
  
The POSTed data is a set of multiple form-urlencoded parameters, with the first one being most interesting. The signed_body  
parameter is a cryptographic signature, concatenated with a JSON string ('{"media_id":"528086397952388638_263262746"}' in the  
example above). In that string, the media ID from the POST URL (the internal identifier of a picture) is encoded again, and the  
signature is created over exactly this JSON string.  
  
Because only the media_id is authenticated, but not the action to be performed, it is possible for an attacker who can sniff the  
credentials cookie and a "Like" API message to forge a "Delete" message for the same image, re-using the authentication signature.  
Of course, this only works in the unlikely case where users "like" their own image over a public network.  
  
# Vulnerability 2: Bad Key Choice  
  
However, the secret key used for this authentication signature is hard-coded in the app. That means an attacker who can extract the  
key from the app is able to forge the cryptographic signature for any media_id desired. Once an attacker gains the authentication  
cookie (which is transmitted over plaintext HTTP by the app), he can delete all the pictures posted by the user so far, and also  
"like" or "un-like" any pictures available for view.  
  
The signature key is stored in an obfuscated fashion in a combination of native and Java code. It is obtained by calling  
NativeBridge.getInstagramString("[snipped]") from the RequestUtil.generateSignature(String request) method. Afterwards, an  
HMAC-SHA256 signature is generated with the key over the request string. We are not providing proof-of-concept code for this  
vulnerability because making the static signature key public would allow scripted access to the Instagram API.  
  
# Suggested Countermeasures  
  
We suggest switching all communications from the app to the API server to use HTTPS, like already done by most other major  
providers. If this is not feasible, we suggest extending the cryptographic authentication as follows:  
  
1. Use a signing key that is specific to the given user and not known to third parties, i.e. downloaded via HTTPS or at least  
derived from the user’s username+password  
2. Add a sequence number into the signed_body field  
3. Add the POST URL or some other encoding of the action to perform into the signed_body, and validate it on the server  
  
# Timeline  
  
* 2013-07-21 We have discovered the vulnerability.  
* 2013-07-23 The vendor was contacted via e-mail, there was no reply yet.  
* 2013-08-07 Instagram 4.1 was published to Google Play, the issue still unfixed.  
* 2013-08-26 Publication of the vulnerability.  
  
# Contact  
  
Please contact Georg Lukas <[email protected]> from rt-solutions.de GmbH [2]with any further questions regarding the  
vulnerability.  
  
[0] PDF version of this document:  
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20App%20Security%20Vulnerability.pdf  
[1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue  
[2] rt-solutions.de GmbH http://www.rt-solutions.de/  
  
--   
rt-solutions.de GmbH  
Oberländer Ufer 190a  
D-50968 Köln  
  
Fax : (+49)221 93724 50  
Mobil: (+49)179 4176591  
Web : www.rt-solutions.de  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Aug 2013 00:00Current
0.5Low risk
Vulners AI Score0.5
instagramandroidcryptographicauthenticationvulnerabilityhardcodedkeyhttpapicryptographic signaturelikedeletevulnerability timelinecontactsecurity issue
31