Crazy Instagram Hack Stirs up Controversy between Security Researchers and Facebook
An independent security researchers is in a bit off a mess with Facebook after hacking into Instagram and gaining access to nearly all of the social media giants private information. However, after responsibility disclosing his findings of the severe bugs, Facebook is threatening to pursue legal action for his research.
After hacking into one of the world’s largest social networks, Instagram, the independent security researcher was threatened with legal action after responsibility disclosing a set of critical vulnerabilities to Instagram’s security team, whose run by Facebook. The severe flaws allowed him access to extremely sensitive data including:
- Instagram website source code
- SSL Certificates and Private Keys used to secure Instagram
- Keys used to sign authentication cookies
- Private information on current Instagram employees and users
- Email server login credentials
- Encryption keys for over half a dozen other critical functions
According to Facebook, the researcher did not fully disclose the flaws and are claiming he intentionally withheld information regarding the vulnerabilities while reporting it to the security team.
Wesley Wineberg, a senior security researcher at Synack, and the man in question, participated in Facebook’s bug bounty program. During this time Wineberg began taking a look around Instagram’s services and one of his friends pointed him to a potentially vulnerable server located at sensu.instagram.com.
While analyzing the URL he discovered a Remote Code Execution (RCE) bug in the way Instagram processed users’ session cookies that are used to remember user login credentials.
After being tipped off by a fellow security researcher, Wineberg was turned over to an Internet-accessible Instagram server that was running on an Amazon EC2 server and running the Sensu monitoring tool. He had reported the accessibility of the server over to Instagram, but quickly noticed a trail and found a hard-coded Ruby token that was supposed to be kept secret. Not only could the token be used to spoof session cookies, but Wineberg said he could use Ruby’s session cookies for code execution.
Using the vector of attack, Wineberg was able to dump the contents of a local Postgres database where he found 60 employee user accounts, including several encrypted passwords, 12 of which he was able to easily crack within minutes, which he labeled “extremely weak.”
However Wineberg didn’t stop there! Taking a closer look into configuration files found upon the vulnerable Amazon web server, he stumbled upon one file containing some keys for Amazon Web Services accounts.
The AWS key pair listed 82 different Amazon S3 bucks, or storage containers. Wineberg was able to access all other buckets but one, which had another key pair inside which allowed him to read the contents of all 82 buckets.
In his midst of research, Wineberg had inadvertently stumbled upon Instagram’s entirety, including:
- Instagram’s source code
- SSL certificates and private keys
- API keys that are used to interact with other services
- Photos uploaded by Instagram users
- Static content from Instagram.com
- Email server login credentials
- Android and iOS app signing keys
- Other extremely sensitive data
“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement. With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member,” Wineberg said in his blog post published last week. “While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data. It is unclear how easy it would be to use the information I gained to then compromise the underlying servers, but it definitely opened up a lot of opportunities.”
Wineberg reports Instagram vulnerabilities
Wineberg reporting his findings to Facebook’s security team, however the social media giant was concerned that he may have accessed private information related to Instagram users and employees.
Instead of receiving a rather large bug bounty reward for such a critical vulnerability, Wineberg was notified that his disclosure was unqualified for the bug bounty program setup by Facebook.
Wineberg claims that in early December his boss received a call from Facebook’s chief security officer Alex Stamos, regarding the recent vulnerabilities that his employee had uncovered. Stamos “stated that he did not want to have to get Facebook’s legal team involved, but that he was not sure if this was something he needed to go to law enforcement over.”
Stamos told Wineberg’s boss that he didn’t want to take legal action from either sides. “Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk,” Stamos added.
Following Wineberg’s publication, Facebook denied all claims that they told Wineberg not to publish his findings, but rather asked for him to not disclose the non-public information he gained access to.
Facebook’s security team also decided to acknowledge the existence of at least one vulnerability, the RCE plaguing sensu.instagram.com and paid out the promised $2,500 reward to Wineberg and his friend.
However, other vulnerabilities that Wineberg uncovered were marked as unqualified, as Facebook claims he violated user privacy and accessed the data.
Facebook Responds
Facebook issued an official statement regarding Wineberg’s research, writing:
“We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.
“We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.”.