Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =================================================================
- Vulnerability on Instagram application (Friendship Vulnerability)
- - Original release date:
- - Last revised:
- - Discovered by: Sebastián Guerrero Selma
- - Severity: 5
- =================================================================
- I. VULNERABILITY
- -------------------------
- Instagram lack of control on authorization logic allows an user
- to add himself as a friend of any user on Instagram social network
- II. BACKGROUND
- -------------------------
- Instagram is a free photo sharing program launched in October 2010
- that allows users to take a photo, apply a digital filter to it, and
- then share it on a variety of social networking services, including
- Instagram's own. A distinctive feature confines photos to a square
- shape, similar to Kodak Instamatic and Polaroid images, in contrast
- to the 4:3 aspect ratio typically used by mobile device cameras.
- Instagram was initially supported on iPhone, iPad, and iPod Touch;
- in April 2012, the company added support for Android camera phones
- running 2.2 (Froyo) or higher. It is distributed via the iTunes App
- Store and Google Play.
- III. DESCRIPTION
- -------------------------
- The mobile application of Android & iPhone is affected by a remote
- vulnerability due the lack of control on the logic applied to
- authorization feature.
- An attacker can perpetrate a brute force attack in the context of
- user application and add himself as a friend of all the users on
- Instagram, being possible in this way to get access to private
- albums and profile information.
- IV. POC
- -------------------------
- http://imgur.com/aZccK
- V. BUSINESS IMPACT
- -------------------------
- An attacker can execute a brute force attack in a targeted
- user's account, this can leverage to steal user private pictures.
- VI. SYSTEMS AFFECTED
- -------------------------
- Instagram
- VII. SOLUTION
- -------------------------
- Not fixed
- VIII. REFERENCES
- -------------------------
- http://www.instagram.com
- http://blog.seguesec.com
- http://twitter.com/0xroot
- IX. CREDITS
- -------------------------
- This vulnerability has been discovered
- by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).
- X. REVISION HISTORY
- -------------------------
- XI. DISCLOSURE TIMELINE
- -------------------------
- July 10, 2012: Discovered by Sebastián Guerrero Selma
- July 10, 2012: Vendor contacted including PoC.
- XII. LEGAL NOTICES
- -------------------------
- The information contained within this advisory is supplied "as-is"
- with no warranties or guarantees of fitness of use or otherwise.
- Sebastián Guerrero Selma accepts no responsibility for any damage
- caused by the use or misuse of this information.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement