Advertisement
Guest User

Untitled

a guest
Jul 11th, 2012
7,631
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.69 KB | None | 0 0
  1. =================================================================
  2. Vulnerability on Instagram application (Friendship Vulnerability)
  3. - Original release date:
  4. - Last revised:
  5. - Discovered by: Sebastián Guerrero Selma
  6. - Severity: 5
  7. =================================================================
  8.  
  9. I. VULNERABILITY
  10. -------------------------
  11. Instagram lack of control on authorization logic allows an user
  12. to add himself as a friend of any user on Instagram social network
  13.  
  14. II. BACKGROUND
  15. -------------------------
  16. Instagram is a free photo sharing program launched in October 2010
  17. that allows users to take a photo, apply a digital filter to it, and
  18. then share it on a variety of social networking services, including
  19. Instagram's own. A distinctive feature confines photos to a square
  20. shape, similar to Kodak Instamatic and Polaroid images, in contrast
  21. to the 4:3 aspect ratio typically used by mobile device cameras.
  22.  
  23. Instagram was initially supported on iPhone, iPad, and iPod Touch;
  24. in April 2012, the company added support for Android camera phones
  25. running 2.2 (Froyo) or higher. It is distributed via the iTunes App
  26. Store and Google Play.
  27.  
  28. III. DESCRIPTION
  29. -------------------------
  30. The mobile application of Android & iPhone is affected by a remote
  31. vulnerability due the lack of control on the logic applied to
  32. authorization feature.
  33.  
  34. An attacker can perpetrate a brute force attack in the context of
  35. user application and add himself as a friend of all the users on
  36. Instagram, being possible in this way to get access to private
  37. albums and profile information.
  38.  
  39. IV. POC
  40. -------------------------
  41. http://imgur.com/aZccK
  42.  
  43. V. BUSINESS IMPACT
  44. -------------------------
  45. An attacker can execute a brute force attack in a targeted
  46. user's account, this can leverage to steal user private pictures.
  47.  
  48. VI. SYSTEMS AFFECTED
  49. -------------------------
  50. Instagram
  51.  
  52. VII. SOLUTION
  53. -------------------------
  54. Not fixed
  55.  
  56. VIII. REFERENCES
  57. -------------------------
  58. http://www.instagram.com
  59. http://blog.seguesec.com
  60. http://twitter.com/0xroot
  61.  
  62. IX. CREDITS
  63. -------------------------
  64. This vulnerability has been discovered
  65. by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).
  66.  
  67. X. REVISION HISTORY
  68. -------------------------
  69.  
  70. XI. DISCLOSURE TIMELINE
  71. -------------------------
  72. July 10, 2012: Discovered by Sebastián Guerrero Selma
  73. July 10, 2012: Vendor contacted including PoC.
  74.  
  75.  
  76. XII. LEGAL NOTICES
  77. -------------------------
  78. The information contained within this advisory is supplied "as-is"
  79. with no warranties or guarantees of fitness of use or otherwise.
  80. Sebastián Guerrero Selma accepts no responsibility for any damage
  81. caused by the use or misuse of this information.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement