Experts have often demonstrated that OAuth vulnerabilities can be exploited to cause some serious damage. The latest example comes from Nir Goldshlager, security researcher and founder of Break Security.
The expert has identified two methods in which Instagram accounts can be hijacked by leveraging OAuth flaws. By exploiting the security holes, attackers could have gained access to private photos, they could have posted new photos on the victim’s behalf, and they could have removed pictures and edited comments.
Fortunately, Facebook, which now owns Instagram, has addressed the issues uncovered by Goldshlager, so users have nothing to worry about.
The first attack method could have been used to obtain an Instagram customer’s access token by exploiting a flaw in the “redirect_uri” parameter.
In the Instagram OAuth protocol, Facebook blocked access to files, folders and subdomains by validating the “redirect_uri” parameter. Also, redirection was only allowed to the app owner’s domain.
However, the researcher found that if the app owner’s domain was “appowner.com,” an attacker could have sent users’ access tokens to his own domain if the domain had a similar name, but with a changed suffix.
For instance, an attacker could have purchased domain names such as appowner.com.mx, appowner.com.br, appowner.com.br, and they were all accepted as being valid.
In the second attack method, the expert utilized the Instagram “client_id” parameter through the Facebook OAuth to gain access to the “access_token.”
“To my surprise, I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter,” Goldshlager explained.
“You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id,” he added.
Additional technical details of these attacks are available on Break Security’s blog.
You can also check out the POC video made by the company: