=================================================================
Vulnerability on Instagram application (Friendship Vulnerability)
- Original release date: 
- Last revised: 
- Discovered by: Sebastián Guerrero Selma
- Severity: 5
=================================================================

I. VULNERABILITY
-------------------------
Instagram lack of control on authorization logic allows an user
to add himself as a friend of any user on Instagram social network

II. BACKGROUND
-------------------------
Instagram is a free photo sharing program launched in October 2010 
that allows users to take a photo, apply a digital filter to it, and
then share it on a variety of social networking services, including 
Instagram's own. A distinctive feature confines photos to a square 
shape, similar to Kodak Instamatic and Polaroid images, in contrast 
to the 4:3 aspect ratio typically used by mobile device cameras.

Instagram was initially supported on iPhone, iPad, and iPod Touch; 
in April 2012, the company added support for Android camera phones 
running 2.2 (Froyo) or higher. It is distributed via the iTunes App 
Store and Google Play.

III. DESCRIPTION
-------------------------
The mobile application of Android & iPhone is affected by a remote
vulnerability due the lack of control on the logic applied to
authorization feature.

An attacker can perpetrate a brute force attack in the context of
user application and add himself as a friend of all the users on
Instagram, being possible in this way to get access to private 
albums and profile information.

IV. POC
-------------------------
http://imgur.com/aZccK

V. BUSINESS IMPACT
-------------------------
An attacker can execute a brute force attack in a targeted
user's account, this can leverage to steal user private pictures.

VI. SYSTEMS AFFECTED
-------------------------
Instagram

VII. SOLUTION
-------------------------
Not fixed

VIII. REFERENCES
-------------------------
http://www.instagram.com
http://blog.seguesec.com
http://twitter.com/0xroot

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------

XI. DISCLOSURE TIMELINE
-------------------------
July    10, 2012: Discovered by Sebastián Guerrero Selma
July    10, 2012: Vendor contacted including PoC.


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Sebastián Guerrero Selma accepts no responsibility for any damage
caused by the use or misuse of this information.