Insecure Data Storage (Access Token exposed) Instagram

instagram
Hello friends this was the issue i founded during my security research while  reversing the instagram app .

during analysis i went towards the juicy part “shared_pref.xml” and hopefully it was having something for me 😀 i digged furthur and founded that it was leaking the fb_access token in clear text  :O i then i tried to check what can be its impact but before doing that i checked the validity of the token and related permission to it . so i opened up the facebook graph api explorer and paste that fetched token in the api and debugged it and other interesting things which i founded were that it was having publish actions ! and long existing time of (2 months ).

So why this is an issue ?

According to OWASP
It is important to threat-model your mobile app to understand the information assets it processes and how the underlying APIs handle those assets. These APIs should store sensitive information securely. Places OWASP most often sees data being stored insecurely include the following:

  • SQLite databases
  • Log Files
  • Plist Files
  • XML Data Stores or Manifest Files
  • Binary data stores
  • Cookie stores
  • SD Card
  • Cloud syncedLet me give you a scenario that .
    attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc .

Let me give you a scenario that .or possible explanation.
attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc.

so it was a insecure data storage issue
i immediately reported to facebook about this issue and was waiting eagerly for their reply 😀 .

[+] Tested on 4.2 jellybean android emulator .
Tools used :
[+]adb
[+]Reported on 11 December 2014 14:33

Video poc :

https://drive.google.com/file/d/0B6EUD5GE6yQCU2cxZUFTRVJ1RzQ/view?pli=1

And this was the reply

Facebook security : If your device was rooted ? then its not our issue  !

fb_insta

They rejected this issue just because i tested it on the emulator its my fault it comes pre rooted ? and i was like
blog_word

But still i was not happy with their answer and tried to explain furthur this time some core member of their dev team replied me this

“we appreciate your report but currently I’m going to close out this report. If you feel you have more information to add, feel free to reopen it and add that information.
Thanks,

and they closed it again .

so , later on i asked twitter security team about the same context issue ?

Ans: Hi vishwa thanks for reaching to us we don’t have any issue regarding to the context of device being rooted . if you got any serious issue then we are in eager to hear that .
Regards

twitter dev team .

Similarly i went through the yandex security team and their reply was the same as twitter regarding to the context  .

so this was all guys

thank you for reading this  better luck next time #never give up 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s