Security researcher Arne Swinnen found out on Instagram security gaps που επιτρέπουν την ανεύρεση κωδικών πρόσβασης των μελών του με επιθέσεις brute force. Το κενό ασφαλείας θα επέτρεπε στον ερευνητή να αποκτήσει πρόσβαση σε περίπου 20 millions accounts.
NVISO researcher reports a gap in authentication coupled with a vulnerability in direct object reference allowed attackers to access 4% of the accounts that were in temporary lock status.
Facebook owned by Instagram rewarded Swinnen (@arneswinnen) with 5000 dollars to announce the vulnerability, and within 10 days developed a patch that corrects the security vulnerability.
Swinnen discovered an account verification link with a demo account and then started changing the user ID in the URL trying a million accounts.
The verification format was different for different accounts. Some accounts were secure, while others allowed an attacker to intercept passwords.
"The case was quite embarrassing, as an attacker could collect sensitive user information (phone numbers) on the one hand, and on the other hand change the phone numbers associated with the victim's account on Instagram," Swinnen said.
More details from the link below:
https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/
