Instagram Hack Reveals The Risks Of Bug Bounty Programs
Facebook Responds to Researcher Who Hacked Instagram.
A security researcher who discovered vulnerabilities in an Instagram server apparently traded barbs this week with Instagram parent Facebook’s chief security officer over whether his explorations of the system’s weaknesses went beyond ethical limits. Wesley Wineberg, an independent security researcher, participating in Facebook’s bug bounty program, managed to crack his way through Instagram defenses and almost get complete control over the service.
Wesley Wineberg, the security researcher in question, recently claimed to have discovered a ‘million dollar bug’ in Instagram, the immensely popular photo app acquired by in 2012 for US$1 billion (£670 million). As reported by industry publication Threatpost, the researcher accused Facebook of hinting at legal and criminal action after he posted on a blog about security vulnerabilities on the system—and that he cracked employee accounts and passwords in the process. Set to work by corporations and multinationals, these hunters are tasked with finding out vulnerabilities and loopholes in the companies products and systems.
Soon after the researcher disclosed the vulnerability to Facebook, the company threatened to sue, instead of paying the reward he was due for his work. Wineberg said the bug would have given him access to SSL certificates, source code, and ultimately, the back end of the entire website. “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement”, wrote Wineberg in his blogpost. Wesley Wineberg, a contractor for security firm Synack, posted on his blog about the security flaws—and went into detail about what he allegedly encountered. However, as these programmers delve deeper, situations sometimes take unexpected turns where they find themselves at loggerheads with their beneficiary. With that material he could effectively gain access to any user account and impersonate any user or staff member – essentiall the Keys to the Kingdom, as Wineberg described it.
Facebook alone has paid out millions of dollars through its program since 2011, and bug bounty programs are run by an industry-spanning list of companies from Google to United Airlines. Wineberg started his research into Instagram systems following the tip he received from a friend, that the sensu.instagram.com Web page, an administration panel for Instagram’s services, was publicly available via the Internet.
Wineberg has over seven years’ experience in information security is an old hand at bug-bounty reporting, claiming to have disclosed hundreds of bugs “with almost no drama,” until now. He’d submitted bugs to Facebook before and its terms and conditions ask for evidence of flaws that allow deep penetration of the firm’s servers, as long as doing so doesn’t cause server downtime.
As you can imagine, the security research community reacted with vile against Facebook, and its CSO published a statement yesterday to clear the air around the issue. However, the second and third disclosures the social media giant took issue with, saying that the researcher had overstepped his bounds by not merely disclosing the vulnerability but expanding on that by delving further into the system, exfiltrating data and finding yet more vulnerabilities while violating user privacy.
After reporting the security hole, Wineberg, who wasn’t immediately available for comment, wrote that he used the access it provided to search for additional weaknesses in the system. Alex Stamos, CSO of Facebook, responded in a blog post, saying that while Wesley reported the vulnerability ethically, he also exfiltrated technical and system data using the flaw he had found and reported.
He found credentials for a database on the server and used those credentials to download usernames and encrypted passwords for a Web-accessible administrative tool running on the machine. Facebook, Microsoft, Amazon, and many other companies rely on outside security researchers to discover flaws their internal security culture may miss.
Sensibly, the account passwords were encrypted with bcrypt, but he ran them though John the Ripper, an open source password cracker capable of about 250 guesses a second. “To my surprise, passwords immediately came back. From thereon, he was able to somehow dump the contents of a local Postgres database, which led to his digging out the user details of about 60 employees and cracking the encrypted password of as many as12 accounts. Since some passwords were quite weak (e.g.: changeme, instagram, password), results popped up within minutes, and he was quickly able to follow through on his investigation, by logging in on the sensu.instagram.com interface.
But clashes are sure to come up in the process—and, as in this case, they turn into a Rashomon type situation where two parties have very different interpretations of the same event. He also soon discovered a configuration file with access credentials for an account on Amazon’s Simple Storage Service, which he used to access what appeared to be a set of “deployment scripts” stored on the Amazon cloud system. Wineberg appears to have incurred Facebook’s wrath for submitting a report about some of the Instagram employee accounts he cracked during the project; those accounts had passwords such as “password,” “changeme,” and “instagram.”
However, Wineberg apparently went on to unearth other flaws and while looking at a Sensu configuration file, ended up discovering an AWS key pair which listed as many as 82 different Amazon S3 storage containers. The researcher’s wild trip down the rabbit hole Instagram backend didn’t stop here, though, and he discovered yet another AWS key, which lead him to another 82 AWS S3 buckets, but these buckets were special. Stamos then contacted Synack, Wineberg’s employer and according to Wineberg, made the point to Synack’s CEO, Jay Kaplan, that he did not want to have to get Facebook’s legal team involved and wondered out loud as to whether actual law enforcement should actually get involved.
Still, the rules do similarly ask researchers to “let us know right away” when a bug is found and “not interact with other accounts without the consent of their owners”—phrasing which seems designed with end user accounts in mind but might also apply to the employee accounts with weak passwords and Facebook’s own S3 accounts. With some effort, Wineberg was then able to read and download several buckets, with their content ranging from SSL keys, private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, iOS and Android app signing keys, iOS push notification keys etc. Wineberg had inadvertently stumbled upon Instagram’s source, SSL certificates, other API keys used for interacting with other services, user pictures, static content from the instagram.com website, or as the researcher eloquently put it: “EVERYTHING” (selfies included). He disclosed his findings to Facebook’s security staff, but conversations did not go as expected, and instead of receiving a reward from Facebook for his hard work, Mr.
It is unclear how easy it would be to use the information I gained tothen compromise the underlying servers, but it definitely opened up a lot of opportunities. As most scandals surrounding bug disclosures, it all comes down to not having an independent party decide the reward sum for security research, and leaving it to the affected company alone.
Communication from Facebook’s side became very scarce, and at one point, Facebook CSO (Chief Security Officer), even went as so far to secretly call Mr. However, the manner in which the information was discovered irked the company which said that Wineberg’s research had gone far beyond the scope of the bounty program.
Stamos said he didn’t want to get lawyers involved, but did need assurances that Wineberg wouldn’t be publishing anything on how he got into the S3 buckets and that he had deleted any data retrieved. “I did not threaten legal action against Synack or Wes nor did I ask for Wes to be fired,” Stamos said in a Facebook post. “I did say that Wes’s behavior reflected poorly on him and on Synack, and that it was in our common best interests to focus on the legitimate RCE report and not the unnecessary pivot into S3 and downloading of data.” Stamos said, and Wineberg agrees, that the bug report into the initial RCE flaw was confirmed and a payout of $2,500 was made. Wes was one of several people toreport to us that Instagram was exposing a Ruby-based admin panel with known flaws.As is standard, we responded to Wes thanking him for his submission and telling him we would investigate.
But when he submitted the flaw report on weak user passwords, Facebook rejected the flaw, and reminded Wineberg that he wasn’t supposed to be going quite so far in his research. “In the future we expect you will make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research,” the email, sent on October 28, stated. Wineberg. “I am not looking to shame any individuals or companies, but I do believe that my treatment in this situation was completely inappropriate.” In the meantime, Facebook has blocked access to the Sensu-Admin application. Then, on December 1, he reported the AWS key issue and got an immediate response that the digging had violated user privacy, and stating “we do not explicitly prevent nor provide permission” to publish his findings. Not only could such actions cause major problems in a company’s networks – they could lead to the bad old days of companies lawyering up against the security community.
Stamos said that he thought Wineberg was an employee of Synack’s because the researcher used a synack.com email address when contacting Facebook, and he blogged for the company. Also, the mention of law enforcement seems to have brought down the errant programmer a couple of notches, who now wants Synack to confirm that no details were ever made public and that all the accessed and downloaded data from Instagram had been deleted, while also agreeing to keep the findings and interactions private. However he did express his disappointment at the treatment meted out to him and said that security researchers needed to be given appropriate treatment and protection.
Both sides in this fight appear keen to draw a line under the affair, but the case does highlight the delicate line between legitimate research and sort-of hacking for money. Although over the years, the situation for security researchers has improved to the point where they are no longer indicriminately branded as hackers, the incident goes to show that a much deeper level of understanding and comfort between researchers and the corporations in question is still lacking and is much needed for the sake of mutual benefits and consumer safety.
Share this article:
Other articles of the category "Instagram":
Instagram Supports Multiple Accounts In Some Devic...
Instagram Now Testing Support For Account Switchin...
Instagram Cuts Off Support For Third-Party Apps Th...
Instagram won’t let feed-reading apps browse...
Third-party Instagram app pulled after stealing pa...
Instagram is jumping into the curation business, t...
Instagram Spooks Twitter, Snapchat With Its Own Cu...
Instagram dabbles in curated collections with Hall...