Facebook fixed two glaring security issues on Instagram that allowed attackers to carry out brute-force attacks and take over user accounts without too many difficulties.
Belgian security researcher Arne Swinnen discovered both issues, one that affected Instagram’s Android login form, and another one that affected Instagram’s Web-based registration system.
The researcher says that both brute-force attack issues were exploitable due to Instagram’s lackadaisical password policy, the fact that it still uses incremental user IDs, and because it lacked proper rate limiting protection.
Brute-force attack against Instagram’s Android app
Swinnen discovered this first scenario in which he could carry out brute-force attacks at the end of December.
The researcher found that he could send at least 1,000 login attempts to an authentication endpoint used by the mobile app and receive reliable replies. After this, he says that some sort of rate limiting intervened and provided “username not found” responses.
However, the researcher had patience with his attack, and after the 2,000th brute-force attempt, he discovered that the correct messages reappeared, followed by the “username not found” rate limiting errors, which he could now ignore.
“The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt,”on his blog.
So the attacker could simply mount a brute-force attack and come back and recheck the responses for which he received an error.
Even worse, the researcher discovered that he was able to log in from the same IP that he used for the brute force attack, which is a big no-no in terms of security practices.
Brute-force attack using the Web registration endpoint
The second brute-force attack he discovered was actually quite clever. Swinnen registered a test Instagram account and recorded the HTTP request that triggered the registration.
He then copied this HTTP request, removed all other fields except the username and password, and attempted to re-register the account again.
Feeding this request with a live account’s actual username & password triggered an error that said, “Those credentials belong to an active Instagram account.” Providing the wrong credentials showed an error message.
So instead of brute-forcing the login form, the researcher used the registration form. This page had no rate limiting activated, and the researcher was able to send as many registration attempts he wanted until he received the “Those credentials belong to an active Instagram account” message, which meant he correctly guessed the account’s password.
Facebook awards $5,000 for both attacks
The researcher discovered this latter bug in February 2016, and Facebook didn’t even patch his first reported bug at that point. Facebook fixed everything by May, though, and told the researcher they added rate limiting to both authentication endpoints, and made it harder for users to employ weak passwords. The company also awarded Swinnen $5,000 for his work, which wasn’t the first time when it happened.
The researcher had previously discovered another flaw in Instagram that allowed attackers to. For that issue, revealed at the end of March, the researcher received a similar reward of $5,000.
Swinnen recommends that users make use of Instagram’s two-factor authentication system when it rolls out worldwide (still in a limited release now), and also that Facebook set up an account lockout policy for situations when there are a large number of failed login attempts from the same IP.