Академический Документы
Профессиональный Документы
Культура Документы
1 of 4
E-THREATS
INDUSTRY NEWS
Industry News
MALWARECITY
20 million Instagram accounts were put at risk through sloppy security hole
No Banner to display
comment : 0 |
A bug bounty of US $5,000 has been awarded to a Belgian vulnerability researcher who uncovered two methods by
which malicious hackers could brute force their way into Instagram accounts.
Adware
Android
Antivirus
Apple
Bitdefender
Anonymous
Attack
Breach
Cyber-attack
Backdoor
China
Data Breach
DDoS
Arne Swinnen says that he discovered two distinct vulnerabilities which could when combined with the sites weak
password policies, and a lack of two-factor authentication and other mitigating security controls have allowed an
Exploit
Facebook Scams
attacker to break into accounts, including those belonging to high profile celebrities.
Fbi
If high profile accounts had been hacked, they could have been exploited to send spam messages and malicious
Fraud
Hacker
Hackers
Hack
Hacking
links to millions of followers, and potentially opened opportunities for embarrassing initimate photo leaks like those
seen during 2014s notorious Celebgate.
Malware
Microsoft
Password
Omelette
Phishing
Privacy
Scam
Scams
The first flaw existed in Instagrams Android app, which correctly blocked incorrect password guesses after 1000
attempts from the same IP address but then (bizarrely) allowed them on every other attempt after the 2000th.
Swinnen described in a blog post how he was able to create a quick-and-dirty Python script which could launch a
brute force attack of 10000 popular passwords against an Instagram test account:
This allowed a reliable brute-force attack, since an attacker could reason on the
reliable response messages and simply replay the unreliable ones until a reliable
answer was received. The only limitation of this attack was that on average, 2
authentication requests had to be made for one reliable password guess attempt.
Swinnen noted that the site also failed to identify that the same IP address was being used in the repeated attempts
to crack the password, missing opportunities to alert that an account might be being attacked or lock it as a
precautionary measure.
Ransomware
Security
Slider
Software
Uk
Windows
Spam
Us
Virus
Worm
Social Media
Trojan
Vulnerability
20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity
2 of 4
Additionally, the researcher uncovered a security problem with Instagrams website specifically how it related to
user registration.
Again, Instagram did not have sufficient protection mechanisms in place such as rate-limiting or account lockout
E-THREATS
20 million Instagram accounts were
Bitdefender
Products
force attacks
from succeeding.
ALERTS
put
at
risk
through
sloppy
security
hole
Ready to Embrace
SOCIAL NETWORKS
Windows 10
reported to have started rolling
out two-step European
verificationSecurity
to better protect accounts from hackers in
HotForSecurity,
INDUSTRY NEWS
July 08, 2015
is thought that the system has
not yet
gone 2016
worldwide.
it would certainly help
Blogger
Awards
finalist!Thats a shame, as
MALWARECITY
more difficult for account hackers.
Windows 8 Stores Logon
BITDEFENDER TECHNOLOGY
Who can hack the most popular smart
Passwords in Plain Text
VIDEOS
devices? Bitdefenders IoT Village
October
2012
run12,
Instagram,
has responded to Swinnens vulnerability reports by strengthening
BOTNETSrate-limiting on
hosted in Techsylvania is ready to roll
CONTEST
1800+ Minecraft
Easy Tips to Dodge E-banking Fraud
HACKING
usernames and passwords
stagrams password policy has been slightly hardened, and particularlyHOW
dumb,
TO.
easy-to-predict
leak online
Malicious Proxy Redirects SSL Google
123456 and password outlawed.
MALWARE HISTORY
January 19, 2015
Traffic for 1 Million IPs
MISCELLANEOUS
PHISHING
ALERT
Scammers
This isnt the
first time Impersonate
that Swinnen has uncovered serious security holes in Facebook-owned
Instagram.
Bank Exec on LinkedIn to
Swinnens stumbled across the vulnerabilities after he has received a verification request from Instagram when
The researcher discovered that the verification link contained an incremental numeric user ID in its URL
something with which seasoned vulnerability researchers find it hard to resist meddling.
As Swinnen changed the numeric user ID in the URL using a simple script, he was sometimes greeted with
verification pages that did not offer to send a verification code to the users email address, but occasionally asked
for another interaction from the user.
Swinnen enumerated the user ID with interesting results sometimes exposing a security vulnerability.
In 0.17% of cases during his testing, Swinnen was asked to update the email addresses of temporarily locked
20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity
3 of 4
accounts.
Once an account was given a new email address, a password reset could then be performed giving an unauthorised
party complete access to the account.
In 3.88% of cases, the verification page would request that a phone number be entered to which Instagram would
send a security code. Again, opening clear opportunities for hackers to commandeer accounts. Worse still, the form
also broke privacy by displaying account owners current mobile phone number.
This case was the most troublesome, as an attacker could on one hand gather
sensitive user information (pre-filled phone number in some cases), and on the other
hand simply update the phone number linked to the victim Instagram account.
After successfully linking a new phone number, an attacker could perform the reset
password via SMS scenario and gain complete access to the account. Big security
impact, and almost 4% of all accounts affected in the one million range. A quick
manual verification also learned that these were mostly human accounts which had
been inactive for a couple of weeks, of which many had a good amount of followers on
Instagram.
With so much success finding flaws in Instagram, you have to wonder when the photo-sharing social network will
offer Swinnen a full-time job.
Tweet
8
Like
42
Share
submit
StumbleUpon
Submit
Previous
20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity
4 of 4
Related posts
HotForSecurity,
Malicious Proxy
Two-thirds of enterprises
European Security
finalist!
hosted in Techsylvania
causing damages of up
is ready to roll
to 3m
Leave a Comment
Name*
Email*
Website