Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Jul 11th, 2012  |  syntax: None  |  size: 2.69 KB  |  views: 5,311  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. =================================================================
  2. Vulnerability on Instagram application (Friendship Vulnerability)
  3. - Original release date:
  4. - Last revised:
  5. - Discovered by: Sebastián Guerrero Selma
  6. - Severity: 5
  7. =================================================================
  8.  
  9. I. VULNERABILITY
  10. -------------------------
  11. Instagram lack of control on authorization logic allows an user
  12. to add himself as a friend of any user on Instagram social network
  13.  
  14. II. BACKGROUND
  15. -------------------------
  16. Instagram is a free photo sharing program launched in October 2010
  17. that allows users to take a photo, apply a digital filter to it, and
  18. then share it on a variety of social networking services, including
  19. Instagram's own. A distinctive feature confines photos to a square
  20. shape, similar to Kodak Instamatic and Polaroid images, in contrast
  21. to the 4:3 aspect ratio typically used by mobile device cameras.
  22.  
  23. Instagram was initially supported on iPhone, iPad, and iPod Touch;
  24. in April 2012, the company added support for Android camera phones
  25. running 2.2 (Froyo) or higher. It is distributed via the iTunes App
  26. Store and Google Play.
  27.  
  28. III. DESCRIPTION
  29. -------------------------
  30. The mobile application of Android & iPhone is affected by a remote
  31. vulnerability due the lack of control on the logic applied to
  32. authorization feature.
  33.  
  34. An attacker can perpetrate a brute force attack in the context of
  35. user application and add himself as a friend of all the users on
  36. Instagram, being possible in this way to get access to private
  37. albums and profile information.
  38.  
  39. IV. POC
  40. -------------------------
  41. http://imgur.com/aZccK
  42.  
  43. V. BUSINESS IMPACT
  44. -------------------------
  45. An attacker can execute a brute force attack in a targeted
  46. user's account, this can leverage to steal user private pictures.
  47.  
  48. VI. SYSTEMS AFFECTED
  49. -------------------------
  50. Instagram
  51.  
  52. VII. SOLUTION
  53. -------------------------
  54. Not fixed
  55.  
  56. VIII. REFERENCES
  57. -------------------------
  58. http://www.instagram.com
  59. http://blog.seguesec.com
  60. http://twitter.com/0xroot
  61.  
  62. IX. CREDITS
  63. -------------------------
  64. This vulnerability has been discovered
  65. by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).
  66.  
  67. X. REVISION HISTORY
  68. -------------------------
  69.  
  70. XI. DISCLOSURE TIMELINE
  71. -------------------------
  72. July    10, 2012: Discovered by Sebastián Guerrero Selma
  73. July    10, 2012: Vendor contacted including PoC.
  74.  
  75.  
  76. XII. LEGAL NOTICES
  77. -------------------------
  78. The information contained within this advisory is supplied "as-is"
  79. with no warranties or guarantees of fitness of use or otherwise.
  80. Sebastián Guerrero Selma accepts no responsibility for any damage
  81. caused by the use or misuse of this information.
clone this paste RAW Paste Data