For this post, I’m going to show how I was able to hack into Instagram accounts via OAuth vulnerabilities (Instagram.com/facebook.com).
There are basically two ways to take advantage of Instagram OAuth.
Hijack Instagram accounts using Instagram OAuth (https://instagram.com/oauth/authorize/)
Hijack Instagram accounts using Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)
Successful attack will allow us access to:
The ability to delete photos and edit comments
The ability to post new photos.
Because I’m a fun of Instagram,” I thought to myself, “Maybe I should check their security?”
So When Facebook Acquired Instagram, I Started to check them for Security Vulnerabilities,
I reported them several vulnerabilities, Including OAuth Attacks, But the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues, So I waited, I waited as a WhiteHat,
Later I received a message from Facebook Security, They said, Even they could not fix it, They still want to pay these vulnerabilities.
So I told them, No need for payout, That’s Because they could not perform security checks before the closing of the acquisition,
It’s amazing to see how Facebook Security doing a great job regarding their bug bounty program, Even that they didn’t close the acquirement, They still want to pay for these vulnerabilities.
While researching Instagram’s security parameters, I noticed that Facebook Security had produced some impressive results in regard to their own Instagram OAuth vulnerabilities. They essentially blocked access to any and all files, folders, and subdomains by validate the redirect_uri parameter.
In addition, redirection was only allowed to go to the owner app domain. That was particularly bad news for me.
Thus, I needed to locate some other way to get past their protection. Further complicating the issue was the fact that you can’t use a site redirection / XSS on the victim’s owner app. This is because you have no access to the files or folders on the owner app domain through the redirect_uri parameter.
Redirect_uri=https://apigee.com/%23,? or any special sign
As it stands, it appears that the redirect_uri is invulnerable to OAuth attacks.
While researching, I came upon a sneaky bypass. If the attacker uses a suffix trick on the owner app domain, they can bypass the Instagram OAuth and then send the access_token code to their own domain.
Let’s say my app client_id in Instagram is 33221863xxx and my domain is breaksec.com
In this case, the redirect_uri parameter should allow redirection only to my domain (breaksec.com), right? What happens when we change the suffix in the domain to something like:
In this example, the attacker can send the access_token, code straight to breaksec.com.mx. For the attack to be successful, of course, the attacker will have to buy the new domain (in this case, breaksec.com.mx).
It’s also feasible to purchase other breaksec.com domains like:
With this bug, I used the Instagram client_id value through the Facebook OAuth (https://www.facebook.com/dialog/oauth).
When you use the Instagram app, it can be integrated with Facebook.
When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place.
To my surprise, I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter. This was actually sort of baffling, and I don’t know why this happened, but it worked. You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.
This effectively allows the attacker to steal the access_token of any Instagram user,
With the access_token the attacker will be able to post on the victim behalf in his Facebook account, Access to his private friends list.