Exploiting Instagram Api’s

Hello Friends it been a while i have blogged well this time i am writing about one of mine old  issue .I was checking instagram  but still so as whitehat by heart i was straight into testing the privacy/security measures of it .xss,csrf,oauth issues were fixed and being hunted down by other folks 😛  so i was checking my  favourite part api end points and within few hour i found 4 flaws with the Api i.e

Pwning calls like GET,PUT ,POST,DELETE

GET /  https://api.instagram.com/v1/users/{user-id}/media/recent

GET / https://api.instagram.com/v1/media/<media_id>/comments/[comment_id]

PUT /  [insta api uses less  put call it uses post for most of the update actions  ]

POST / https://api.instagram.com/v1/media/{media-id}/likes

DELETE  / https://api.instagram.com/v1/media/{media-id}/likes

Attack –> Once any user1 block any other user2 he won’t be able to see,like,share,post,comment on the vicitm post ,seeing who liked victim post right ! as same feature is in facebook.

Scenario : 

Scenario is like someone is spamming in your  instagram  wall  posting abusive stuffs on your image and is very personal which you don’t like
you now want him to be get removed from your environment and wanted to keep your self  away from all your personal stuffs
so  you have blocked me now ? you think work is done but not
Attacker will try to know  whats going on the image but he can’t because you have blocked so he cannot interact with your resources but from api end point their is flaw he  will make those  calls with the media id  to like,dislike,see comments,who liked your post ,follows etc .

Interesting thing was posting comments was restricted ! it means api is still performing some checks on some POST calls except Post,Delete /like but not on GET CALLS .

Media_id  can be easily figured out via oembed  feature in instagram by just putting [url of resource] which allows you to create embed code for the users post.

Impact : The attacker was not able to perform any of the above action from the Ui end point but was able to exploit above blocks via api end point with his own access_token  now he can delete likes,create likes,see comments ,see who liked victim post etc in authenticated sessions which violates the block functionality isn’t it ?

Reason Behind this ? 
Application was not verifying  the access_token calls whether they are coming from original owner or from any blocked user it was simply serving them.

Initial Instagram Design Flaw :
 Root Reason is initial Instagram design as it is very open it let you see everything in unauthenticated sessions whereas facebook
has given users choice that what they want to show or not to outsiders [even in unauthenticated sessions ] so here no matter what
application can only apply restriction in authenticated sessions because then only it can check whom to allow or whom to restrict
when user authenticates instagram is performing only basic checks by hiding the controls and showing the non interactive page to the blocked user .
but their is exploitation possible from api end point which breaks the basic block function isn’t it .

[+] Fact despite of their patch i was again able to bypass instagram block 😛 so their is no need of block feature then ? well let them decide now or in future hope so someone will ping them .
Video Poc :

TimeLine:

[13 April 2015] Reported this issue to the team
[14 April 2015] Better Poc provided with Video
[16 April 2015] Got a reply for more info
[16 April 2015] Info Provided
[21 April 2015] Changes were made asked to confirm
[21 April 2015]Again reproduced the issue
[6 May 2015] Escalated to Product team
[29 September 2015] Team is still working on fix
[10 October 2015] Closed
[10 October 2015] Reopened again .
[13 March 2016] Again escalated .
[20 April 2016 ]  Issue fixed by the team with no bounty .

Changes Made By Team After the Report :

1.)Added a console for api documentation
2.)Added sandbox approach
3.)Fixed the api and ui consistency

Now all the issues are patched from both the end point api/ui .

$logout

Advertisements

2 thoughts on “Exploiting Instagram Api’s

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s