HACK AN INSTAGRAM ACCOUNT

HACK AN INSTAGRAM ACCOUNT

INSTABRUTE: TWO WAYS TO BRUTE-FORCE INSTAGRAM ACCOUNT CREDENTIALS

TL;DR: Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force passwords of user accounts. Combined with user enumeration, a weak password policy, no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones. Facebook fixed both issues and awarded a combined bounty of $5.000.

INTRODUCTION

Authentication brute-force vulnerabilities are very serious issues for any web application. Users are known to pick weak passwords and reuse them and many dictionaries with millions of human-chosen passwords are publicly available to attackers to easily mount successful attacks. However, there are some additional arguments that make brute-force particularly effective against Instagram:

  • User Enumeration: Instagram usernames are public & enumerable via incremental userIDs.
  • Weak Password Policy: At the time of submission, the Instagram password policy only enforced a minimum length of 6 characters, allowing choices such as “123456” and “password”.
  • Two-Factor Authentication: 2FA has only been introduced in February 2016, and is still not rolled out globally.
  • Account Lockout Policy: No account lockout policy is currently in place, nor any other mitigating security controls.

Therefore, exploitation of these issues could have resulted in the compromise of millions of the 400+ million active Instagram accounts – especially those with predictable passwords. Of course, targeted attacks against high-profile (Celebrity) accounts could have been very effective as well (cf. Apple’s Celebgate).

ISSUE #1: IMPLEMENTATION BUG IN MOBILE AUTHENTICATION BRUTE-FORCE PROTECTION

Out of Scope: In order to identify the Mobile Authentication endpoint communication in an intercepting proxy, SSL Pinning had to be bypassed in the Instagram for Android application. Additionally, in order to modify & attack this endpoint communication, a key had to be phished from the Android application, which is used to generate a HMACSHA256 signature over the POST parameters of every outgoing request. A Burp Plugin was written that transparently hotpatches the signature for outgoing requests generated, such as those generated by the Burp Intruder module – see below. More details can be found in this previous blogpost.

The Instagram for Android application used the endpoint at https://i.instagram.com/api/v1/accounts/login/ to perform authentication. A simple brute-force attack against this mobile authentication endpoint with Burp Intruder revealed that approximately 1000 reliable guesses could be made from one unique IP address, after which the response changed to “username not found”, although the user obviously still existed (Rate limiting):

InstaBruteIssue1Screenshot1

However, only the next consecutive 1000 guesses resulted in the “username not found” response error message. From the 2000th consecutive guess onward, a reliable response (password correct/incorrect) was followed by an unreliable one (user not found):

InstaBruteIssue1Screenshot2

This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received. The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt. A quick & dirty python script with basic threading support “InstaBrutal.py” was made to prove this. The output of a brute-force attack of10000 popular passwords against my Instagram test account “bruteforceme” with password “perfectcrime” can be seen here:

Notice that the first 1000 guesses were reliable (“good”) guesses, followed by 1000 unreliable ones (“bad”), which were ignored by the python script. Hereafter, the ratio remained closely around 50%. The numbers are slightly off due to lack of thread locks around the global variables storing them, as the purpose of the quick & dirty script was to simply prove the underlying vulnerability.

Although the script made 10001 password guesses for account “bruteforceme”, an attacker could simply login from any IP address, including the one that was used to mount the brute-force attack. This indicated a lack of additional security controls against account compromise, such as account lockout, IP address location-based fraud detection, …

InstaBruteIssue1Screenshot3

InstaBruteIssue1Screenshot4

ISSUE #2: CREDENTIALS ORACLE IN WEB REGISTRATION ENDPOINT

Since a couple of months, Instagram allows registration via its website as opposed to only via its mobile applications. Registering a test account “arneswinnen8168” with password “passwd” issued the following underlying request & response:

1. Web Registration

2. Web Registration Request

3. Web Registration Response

However, by simply replaying this exact request, a different response message was now encountered:
4. Web Registration Replay

After removing all parameters in the request except “username” and “password”, the replay of a request with a correct password value and one of an incorrect password value highlights the credentials oracle:

5. Replay wrong password

6. Replay correct password

Finally, a burp intruder brute-force attack of 10001 passwords, with the 10001th entry being the correct password “passwd”, confirmed the trivial brute-force attack:

7. 10.000th wrong guess
8. 10.001th correct guess

Logging in with the harvested credentials again worked, no account lockout or other security controls were triggered during the successful brute-force attack:

9. Login

10. Login successful

FACEBOOK’S MITIGATIONS

  • Issue #1 was resolved by fixing the rate-limiting bug in the mobile authentication endpoint.
  • Issue #2 was resolved by introducing rate-limiting on the web registration endpoint.
  • The password policy was slightly hardened, and extremely easy passwords such as “123456” and “password” are now not allowed anymore.

TIMELINE

  • 28/12/2015: Submitted bug report for issue #1 to Facebook Bug Bounty, including PoC python script.
  • 08/02/2016: Submitted bug report for issue #2 to Facebook Bug Bounty.
  • 11/02/2016: Facebook confirmed that issue #2 is patched.
  • 13/02/2016: Facebook confirmed that issue #1 was patched earlier as well and granted a combined bounty of $5.000.
  • 04/04/2016: Informed Facebook that fix for issue #2 is not effective.
  • 10/05/2016: Facebook reconfirmed new fix for issue #2.
  • 19/05/2016: New fix deemed working, public disclosure.
35 Comments
  • little time today

    November 12, 2016 at 3:31 am Reply

    I am happy that I discovered this website, exactly the right info that I was
    looking for!

  • hackerhi

    November 12, 2016 at 7:12 pm Reply

    Great

    • muscle increase

      February 18, 2017 at 6:24 pm Reply

      Hmm it seems like your site ate my first comment (it was extremely long)
      so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog.

      I too am an aspiring blog writer but I’m still new to the whole thing.
      Do you have any tips for inexperienced blog writers?
      I’d really appreciate it.

  • stimulates muscle

    February 12, 2017 at 12:09 pm Reply

    Hmm it sеems like your blog ate my first coment (it ᴡas super long) so I guess I’ll just ssum
    it up what I wrote and say, I’m thoroughly enjoying уour blog.
    Iaѕ well am an aspiring blog writer but I’m still new
    to everything. Do you have any suggestions
    for rookie blоg writers? I’Ԁ reаlly appreciate it.

    • losing weight

      February 19, 2017 at 2:33 am Reply

      My partner and I stumbled over here from a different web page and thought I
      may as well check things out. I like what I see
      so now i am following you. Look forward to checking out your web
      page again.

  • golf instruction

    February 13, 2017 at 2:27 am Reply

    Ⲏi to all, how is all, I think every one iѕ getting more
    from this website, and your views are faxtidious desiցned for new people.

  • workout inside

    February 14, 2017 at 3:40 pm Reply

    This is my first time visit at here and i am really pleassant to read everthing
    at one place.

    • loss cure contains

      February 18, 2017 at 6:03 am Reply

      I am glad to be a visitor of this everlasting website, thanks for this rare info!

  • Toe Spreaders

    February 16, 2017 at 8:35 pm Reply

    You really make it appear really easy along with your presentation but
    I to find this matter to be really something which I feel I might never understand.
    It sort of feels too complex and extremely broad for me.

    I am taking a look forward to your subsequent submit, I’ll
    attempt to get the dangle of it!

  • Hammertoe

    February 16, 2017 at 9:57 pm Reply

    Great goods from you, man. I have bear in mind your stuff prior to and you’re just
    too excellent. I really like what you have obtained here, really like what
    you are stating and the best way by which you assert it.
    You’re making it enjoyable and you still take care of to keep it smart.
    I cant wait to learn much more from you. This is really a great website.

  • weight loss program

    February 17, 2017 at 3:37 am Reply

    Yes! Finally something about trainer newport.

  • strength training fat loss

    February 18, 2017 at 7:44 pm Reply

    Useful information. Fortunate me I found your website by chance,
    and I am shocked why this twist of fate didn’t took place
    in advance! I bookmarked it.

  • Knee Support Braces

    February 19, 2017 at 7:56 am Reply

    Way cool! Some very valid points! I appreciate
    you penning this write-up and the rest of the website is very good.

  • workout exercises

    March 2, 2017 at 2:48 pm Reply

    hello!,I like your writing so so much! proportion we communicate more about your post on AOL?
    I need a specialist on this house to solve my problem. Maybe that is you!
    Taking a look forward to peer you.

  • hack tech

    March 4, 2017 at 2:10 am Reply

    For legit hacking services, frank doe is

    one of the best russian hacker i know. He

    offers a good and reliable hacking

    services.
    Let me run down a few!
    1Facebook,twitter,Instagram,Kik,WhatsApp,Sn

    apchat,meet me and emails.
    2-cloning of phones such that you can

    monitor all calls from your own device

    without the the target knowing he/she is

    been watched.
    3-clearing DMV records and making sure it

    never gets traced to the owner.
    4-hacking bank accounts,ATM anf making

    transfer.
    5-changes school grades online without

    leaving traces.
    He helped me change my school grades and

    also hacked a friends Facebook and Snapchat

    account twice with a confirmed proof. I

    never for once regretted working with him

    and i strongly believe you won’t too.
    Here is his contact: email-

    hackgig11@gmail.com

  • VerRodo

    March 4, 2017 at 11:53 pm Reply

    Herbal Propecia Prescription Purchase Accutane Online Canandian Pharmacy Propecia Acne Weight Gain Cheap Zithromax Fast Thai Pharmacy Online Order Viagra Without Prescription Deltasone Prednisone Over The Counter Zithromax Toronto Drug Stor Propecia Drug Get Macrobid Cod Accepted Viagra Pharmacie En Ligne Avis Buy Prednisone 20mg Lasix Without A Rx Generic Cialis Daily Use Buy Nolvadex Online Usa Clomid Over The Internet Sexulay Trasmited Infections Treated W3ith Keflex Cheapest Kamagra Cialis Tanio Propecia Generique 50mg Lasix Pills Online Acheter Cialis Pas Cher Kamagra Walmart Female Cialis Amoxicillin Trihydrate $8.99 Rxmeds Prevacid Buy One Get One Order Kamagra Onlines Ginseng Cialis Urgente Order Kamagra On Line Buy Xenical Online Usa Prix Du Levitra En Pharmacie En Belgique Antabuse To Buy Online Generic Propecia Review Il Cialis One Day Purchase Zithromax Usa Precio Viagra Madrid Keflex And Grapefruit Juice Interactions Generic Viagra Online Comprar Generico Propecia Acheter Misoprostal Buy Orlistat Pharmacy Gift Card Viagra Supreme Suppliers In India Vibramycin Dosage Viagra Super Active Plus Review Propecia Pnt Lasix Online Usa Erythromycin Value Of Propecia Levitra Order Online Viagra Site Francais Purchase isotretinoin pills next day pharmacy amex Izotek Viagra Vente Internet Cialis Generico Farmacia Buy Generic Strattera Online Cialis Viagra O Levitra Kamagra Avis Generic Of Propecia Where To Buy Erectile Dysfunction Pills Cialis Costo Farmacia Buy Cheap Usa How Strong Is 250 Grams O Amoxicillian Generic Viagra Fast Shipping Buy Real Viagra Online Stendra On Sale

  • no credit check

    March 5, 2017 at 2:53 pm Reply

    I actually still cannot quite think that I could always be one of those
    reading through the important ideas found on your web
    site. My family and I are seriously thankful for your generosity and for providing
    me the chance to pursue the chosen career path. Appreciate your
    sharing the important information I obtained from your website.

  • manicure

    March 21, 2017 at 12:19 pm Reply

    Oh my goodness! Awesome article dude! Thank you so much, However I am going through difficulties with your RSS.

    I don’t understand why I cannot join it. Is there anyone else getting
    similar RSS issues? Anyone who knows the solution can you
    kindly respond? Thanx!!

  • manicure

    March 25, 2017 at 6:17 am Reply

    I have been browsing online more than three hours today, yet I never
    found any interesting article like yours.

    It is pretty worth enough for me. In my opinion, if all web owners
    and bloggers made good content as you did, the net will be a lot more useful than ever before.

  • manicure

    March 27, 2017 at 5:06 pm Reply

    This is a very good tip particularly to those new to the blogosphere.
    Brief but very accurate info… Thank you for sharing this one.
    A must read article!

  • Ashley

    March 27, 2017 at 8:13 pm Reply

    Can you help to remove a fake instagram profile that is posting my pictures with hate and abusive content
    What is the cost and how long this take

    Thanks

  • BHW

    April 21, 2017 at 6:40 am Reply

    Way cool! Some very valid points! I appreciate you penning this
    article and also the rest of the site is extremely good.

  • manicure

    April 26, 2017 at 4:34 am Reply

    Magnificent goods from you, man. I’ve understand your stuff previous to and you’re just extremely excellent.
    I actually like what you have acquired here, certainly like what you’re stating and the way in which
    you say it. You make it entertaining and you still care for to keep it smart.
    I can’t wait to read far more from you. This is really
    a great site.

  • manicure

    April 29, 2017 at 2:21 pm Reply

    Hello! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog
    to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Appreciate it!

  • manicure

    April 29, 2017 at 2:51 pm Reply

    Wonderful website. Plenty of useful information here.
    I’m sending it to several pals ans additionally sharing in delicious.
    And certainly, thanks for your effort!

  • Antoniocawley.Blog.Fc2.com

    May 2, 2017 at 6:20 am Reply

    My brother suggested I might like this blog. He was once entirely right.
    This put up truly made my day. You can not consider simply
    how so much time I had spent for this information! Thank you!

  • manicure

    May 3, 2017 at 3:16 pm Reply

    Thanks for your marvelous posting! I truly enjoyed reading it,
    you can be a great author. I will make certain to bookmark your blog and will eventually come back down the road.
    I want to encourage you to continue your great work, have a nice afternoon!

  • manicure

    May 3, 2017 at 8:26 pm Reply

    Quality articles is the crucial to be a focus for the visitors to pay a quick visit the website, that’s what this web
    page is providing.

Post a Comment