[Owasp-Recife] Fwd: [owasppb] Fwd: Two Instagram Android App Security Vulnerabilities

Caio Dias caio.dias at owasp.org
Thu Aug 29 17:31:13 UTC 2013

---------- Forwarded message ----------
From: Renê Barbosa <renebarbosafl at gmail.com>
Date: Wed, Aug 28, 2013 at 9:07 AM
Subject: [owasppb] Fwd: Two Instagram Android App Security Vulnerabilities
To: "segidez at googlegroups.com" <segidez at googlegroups.com>, "
owasppb at googlegroups.com" <owasppb at googlegroups.com>



*Renê Barbosa de Figueirêdo Lima*
Fone: +5508388051586
Website: http://renebarbosa.com/
Skype: renebarbosafl

---------- Forwarded message ----------
From: Georg Lukas <lukas at rt-solutions.de>
Date: 2013/8/28
Subject: Two Instagram Android App Security Vulnerabilities
To: "bugtraq at securityfocus.com" <bugtraq at securityfocus.com>

Affected app: Instagram for Android
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well
as iOS) affected.

# Summary

After the Instagram iOS vulnerability discovered last year [1], the app's
HTTP API has been extended with a cryptographic
authentication for changes like "likes" and deletes. However, the
implementation of this authentication is flawed in two ways,
making it possible to "like" or delete pictures in the name of another
user, once his credentials have been sniffed over plain-text

# Vulnerability 1: Partial Cryptographic Authentication

When a user issues a "like" or "delete" command from the app, an HTTP POST
request is made to the instagram server:

        POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
        Host: instagram.com
        [more headers stripped]


The POSTed data is a set of multiple form-urlencoded parameters, with the
first one being most interesting. The signed_body
parameter is a cryptographic signature, concatenated with a JSON string
('{"media_id":"528086397952388638_263262746"}' in the
example above). In that string, the media ID from the POST URL (the
internal identifier of a picture) is encoded again, and the
signature is created over exactly this JSON string.

Because only the media_id is authenticated, but not the action to be
performed, it is possible for an attacker who can sniff the
credentials cookie and a "Like" API message to forge a "Delete" message for
the same image, re-using the authentication signature.
Of course, this only works in the unlikely case where users "like" their
own image over a public network.

# Vulnerability 2: Bad Key Choice

However, the secret key used for this authentication signature is
hard-coded in the app. That means an attacker who can extract the
key from the app is able to forge the cryptographic signature for any
media_id desired. Once an attacker gains the authentication
cookie (which is transmitted over plaintext HTTP by the app), he can delete
all the pictures posted by the user so far, and also
"like" or "un-like" any pictures available for view.

The signature key is stored in an obfuscated fashion in a combination of
native and Java code. It is obtained by calling
NativeBridge.getInstagramString("[snipped]") from the
RequestUtil.generateSignature(String request) method. Afterwards, an
HMAC-SHA256 signature is generated with the key over the request string. We
are not providing proof-of-concept code for this
vulnerability because making the static signature key public would allow
scripted access to the Instagram API.

# Suggested Countermeasures

We suggest switching all communications from the app to the API server to
use HTTPS, like already done by most other major
providers. If this is not feasible, we suggest extending the cryptographic
authentication as follows:

1.      Use a signing key that is specific to the given user and not known
to third parties, i.e. downloaded via HTTPS or at least
derived from the user’s username+password
2.      Add a sequence number into the signed_body field
3.      Add the POST URL or some other encoding of the action to perform
into the signed_body, and validate it on the server

# Timeline

*       2013-07-21 We have discovered the vulnerability.
*       2013-07-23 The vendor was contacted via e-mail, there was no reply
*       2013-08-07 Instagram 4.1 was published to Google Play, the issue
still unfixed.
*       2013-08-26 Publication of the vulnerability.

# Contact

Please contact Georg Lukas <lukas at rt-solutions.de> from
rt-solutions.deGmbH [2]with any further questions regarding the

[0] PDF version of this document:
[2] rt-solutions.de GmbH http://www.rt-solutions.de/

rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de


Você está recebendo esta mensagem porque se inscreveu no grupo "OWASP
Paraíba" dos Grupos do Google.
Para cancelar a inscrição neste grupo e parar de receber seus e-mails,
envie um e-mail para owasppb+unsubscribe at googlegroups.com.
Para obter mais opções, acesse https://groups.google.com/groups/opt_out.

Caio Dias
<https://about.me/caiodias> https://about.me/caiodias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-recife/attachments/20130829/62c6287a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5633 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-recife/attachments/20130829/62c6287a/attachment.bin>

More information about the Owasp-recife mailing list