14 DAY TRIAL // After receiving a critical bug report from Belgian security expert Arne Swinnen, Facebook patched Instagram in less than a day and awarded the researcher $5,000 (€4,500) for his diligence and expertise.
According to a blog post Swinnen penned this past Sunday, the issue affected only Instagram accounts that were locked for security reasons, either due to a long period of inactivity, spam, or repeated failed password attempts.
The researcher discovered the issue while reviving one of his older Instagram accounts, which was also locked and needed to be verified.
Only locked Instagram accounts were potentially exposed
While on this verification page, the researcher observed two security issues. The first was that Facebook was printing sensitive Instagram user details on the Web page, along with operations that could have allowed an attacker to reset emails attached to an account and later reset the account's password.
The second issue was what in the security business is called an Insecure Direct Object Reference vulnerability. Facebook was printing each user's ID in the page's URL and allowing them to edit it. By doing so, users were able to access a similar page for other accounts without any type of authentication. Since Instagram uses incremental IDs, an attacker only needed to grow the number by one.
Swinnen tested one million accounts. Of these, only a few were locked for security reasons. Each of these accounts had different types of verification procedures in place, depending on how and why Facebook locked them.
Attackers could take over accounts using a their email address, or...
Some verification steps were via CAPTCHA (for spam) (1,099 accounts) and by email or SMS (for unusual activity) (1,960 accounts). These types of verifications did not expose the accounts to hacking.
The first problem was when Facebook detected that the email address attached to an Instagram account was unreachable or false and was asking users to update their email.
Attackers testing random profile for locked accounts, when encountering this page could enter their email address, reset the password and take over as the account's owner. Swinnen discovered 1,690 of these accounts in his 1 million test pool (0.17%).
... their phone number
The second and the bigger problem was when Facebook decided out of the blue to verify a series of accounts by phone number. The social network was asking users to update their phone number, but also pre-filling the phone number field with the last known number.
This form design flaw exposed a user's personal details but also allowed an attacker to edit the content of the field and enter their own phone number. Just like in the password scenario above, an attacker could request a password reset via phone and take over the account from its rightful owners.
Swinnen found 38,808 of these accounts, which represent 3.88% of his test pool. As it has recently been proven in Holland too that taking over Instagram accounts can be a lucrative business. Facebook fixed this issue on March 14.
