Affected app: Instagram for Android
Affected versions: 4.0.2 and 4.1.2, probably also earlier versions (as well as iOS) affected.

# Summary

After the Instagram iOS vulnerability discovered last year [1], the app's HTTP API has been extended with a cryptographic
authentication for changes like "likes" and deletes. However, the implementation of this authentication is flawed in two ways,
making it possible to "like" or delete pictures in the name of another user, once his credentials have been sniffed over plain-text
HTTP.

# Vulnerability 1: Partial Cryptographic Authentication

When a user issues a "like" or "delete" command from the app, an HTTP POST request is made to the instagram server:

  POST /api/v1/media/528086397952388638_263262746/like/ HTTP/1.1\r\n
  Host: instagram.com
  [more headers stripped]

  
signed_body=e365434d1344fc5d73f85bb72b2d7e3474dd8227275071cb9dd9649ca4f0216d.%7B%22media_id%22%3A%22528086397952388638_263262746%22%
7D&ig_sig_key_version=4&src=timeline&d=0

The POSTed data is a set of multiple form-urlencoded parameters, with the first one being most interesting. The signed_body
parameter is a cryptographic signature, concatenated with a JSON string ('{"media_id":"528086397952388638_263262746"}' in the
example above). In that string, the media ID from the POST URL (the internal identifier of a picture) is encoded again, and the
signature is created over exactly this JSON string.

Because only the media_id is authenticated, but not the action to be performed, it is possible for an attacker who can sniff the
credentials cookie and a "Like" API message to forge a "Delete" message for the same image, re-using the authentication signature.
Of course, this only works in the unlikely case where users "like" their own image over a public network.

# Vulnerability 2: Bad Key Choice

However, the secret key used for this authentication signature is hard-coded in the app. That means an attacker who can extract the
key from the app is able to forge the cryptographic signature for any media_id desired. Once an attacker gains the authentication
cookie (which is transmitted over plaintext HTTP by the app), he can delete all the pictures posted by the user so far, and also
"like" or "un-like" any pictures available for view.

The signature key is stored in an obfuscated fashion in a combination of native and Java code. It is obtained by calling
NativeBridge.getInstagramString("[snipped]") from the RequestUtil.generateSignature(String request) method. Afterwards, an
HMAC-SHA256 signature is generated with the key over the request string. We are not providing proof-of-concept code for this
vulnerability because making the static signature key public would allow scripted access to the Instagram API.

# Suggested Countermeasures

We suggest switching all communications from the app to the API server to use HTTPS, like already done by most other major
providers. If this is not feasible, we suggest extending the cryptographic authentication as follows:

1.  Use a signing key that is specific to the given user and not known to third parties, i.e. downloaded via HTTPS or at least
derived from the user’s username+password
2.  Add a sequence number into the signed_body field
3.  Add the POST URL or some other encoding of the action to perform into the signed_body, and validate it on the server

# Timeline

*  2013-07-21 We have discovered the vulnerability.
*  2013-07-23 The vendor was contacted via e-mail, there was no reply yet.
*  2013-08-07 Instagram 4.1 was published to Google Play, the issue still unfixed.
*  2013-08-26 Publication of the vulnerability.

# Contact

Please contact Georg Lukas <lukas@rt-solutions.de> from rt-solutions.de GmbH [2]with any further questions regarding the
vulnerability.

[0] PDF version of this document:
http://www.rt-solutions.de/images/PDFs/Veroeffentlichungen/Instagram%20App%20Security%20Vulnerability.pdf
[1] http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue
[2] rt-solutions.de GmbH http://www.rt-solutions.de/

-- 
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de