Instagram Vatbaar voor externe code worden uitgevoerd Exploits - Hoe, Technologie en PC Security Forum | SensorsTechForum.com
CYBER NEWS

Instagram Vatbaar voor externe code worden uitgevoerd Exploits

instagramSoftware bedrijven en sociale diensten vaak afhankelijk bug jagers om kwetsbaarheden in hun producten te ontdekken. Echter, soms misverstanden gebeuren, en zoals in het onderhavige geval, juridische acties kunnen worden bedreigd. Wesley Weinberg is een senior security-onderzoeker bij Synack.

As reported by The Hacker News, he recently participated in Facebook’s bug bounty program, after one of his friends gave him a hint on a potential vulnerability in sensu.instagram(.)met.

A Remote Code Execution Vulnerability in sensu.instagram(.)met

This is how Weinberg discovered a remote code execution (RCE) vulnerability in the way sensu.instagram(.)com processed session cookies, used to remember user login details.

The RCE bug could happen because of two main issues:

1. The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token.
2. The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.

Here is the interesting part. By exploiting the vulnerability, the researcher was able to force the server to spit out an enormous database containing Instagram and Facebook usernames and passwords of the companies’ employees. Even though the passwords were protected with a bcrypt encryption, Weinberg easily cracked many passwords that were weak.

Probably stunned by this discovery, Weinberg didn’t want to stop, so he continued with his research.

He then investigated other configuration files he discovered on sensu.instagram(.)com’s server and discovered that one of the files contained keys for Amazon Web Services accounts used by the latter to host Instagram’s Sensu setup. His investigation then revealed that the keys listed 82 Amazon s3 unique buckets (storage units). There was nothing wrong with the latest file in the bucket. Echter, an older version contained another key pair that enabled him to read the contents of all 82 buckets:

Instagram’s source code
SSL certificates and private keys (including for instagram.com and *.instagram.com)
API keys that are used for interacting with other services
Images uploaded by Instagram users
Static content from the instagram.com website
Email server credentials
iOS/Android app signing keys

Facebook’s Reaction

Logischerwijze, Weinberg went on reporting his key finding to Facebook’s security team. Echter, Facebook was more concerned with the fact that the researcher accessed employees and users’ private data than with the vulnerability itself. Not only Facebook didn’t reward him for his work but they also disqualified him from their bug bounty program.

Here is the official statement given by Facebook:

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, echter, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In dit geval, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.
We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchershard work.

Dus, which side are you on?

Milena Dimitrova

Milena Dimitrova

Een geïnspireerde schrijver en content manager die heeft met SensorsTechForum sinds het begin. Gericht op de privacy van gebruikers en malware ontwikkeling, ze gelooft sterk in een wereld waar cybersecurity speelt een centrale rol. Als het gezond verstand heeft geen zin, ze zullen er zijn om aantekeningen te maken. Deze toelichtingen kunnen later om te zetten in artikelen! Volg Milena @Milenyim

Meer berichten

Volg mij:
Tjilpen

Laat een bericht achter

Uw e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd *

Termijn is uitgeput. Laad CAPTCHA.

Delen op Facebook Aandeel
Loading ...
Delen op Twitter Gekwetter
Loading ...
Delen op Google Plus Aandeel
Loading ...
Delen op Linkedin Aandeel
Loading ...
Delen op Digg Aandeel
Deel op Reddit Aandeel
Loading ...
Delen op StumbleUpon Aandeel
Loading ...