what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Instagram Friendship Authorization Logic

Instagram Friendship Authorization Logic
Posted Jul 11, 2012
Authored by Sebastian Guerrero Selma

An Instagram lack of control on authorization logic allows a user to add himself as a friend of any user on the Instagram social network.

tags | advisory
SHA-256 | a536d4f7b0bf113f33674e2217db3a96072490c932f09b8e3096070d991995ff

Instagram Friendship Authorization Logic

Change Mirror Download
=================================================================
Vulnerability on Instagram application (Friendship Vulnerability)
- Original release date:
- Last revised:
- Discovered by: Sebastián Guerrero Selma
- Severity: 5
=================================================================

I. VULNERABILITY
-------------------------
Instagram lack of control on authorization logic allows an user
to add himself as a friend of any user on Instagram social network

II. BACKGROUND
-------------------------
Instagram is a free photo sharing program launched in October 2010
that allows users to take a photo, apply a digital filter to it, and
then share it on a variety of social networking services, including
Instagram's own. A distinctive feature confines photos to a square
shape, similar to Kodak Instamatic and Polaroid images, in contrast
to the 4:3 aspect ratio typically used by mobile device cameras.

Instagram was initially supported on iPhone, iPad, and iPod Touch;
in April 2012, the company added support for Android camera phones
running 2.2 (Froyo) or higher. It is distributed via the iTunes App
Store and Google Play.

III. DESCRIPTION
-------------------------
The mobile application of Android & iPhone is affected by a remote
vulnerability due the lack of control on the logic applied to
authorization feature.

An attacker can perpetrate a brute force attack in the context of
user application and add himself as a friend of all the users on
Instagram, being possible in this way to get access to private
albums and profile information.

IV. POC
-------------------------
http://imgur.com/aZccK

V. BUSINESS IMPACT
-------------------------
An attacker can execute a brute force attack in a targeted
user's account, this can leverage to steal user private pictures.

VI. SYSTEMS AFFECTED
-------------------------
Instagram

VII. SOLUTION
-------------------------
Not fixed

VIII. REFERENCES
-------------------------
http://www.instagram.com
http://blog.seguesec.com
http://twitter.com/0xroot

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Sebastián Guerrero Selma (s.guerrero0 (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------

XI. DISCLOSURE TIMELINE
-------------------------
July 10, 2012: Discovered by Sebastián Guerrero Selma
July 10, 2012: Vendor contacted including PoC.


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Sebastián Guerrero Selma accepts no responsibility for any damage
caused by the use or misuse of this information.

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close