Facebook has repaired a vulnerability in its Instagram social media platform, after a researcher found that it could be exploited to link users’ phone numbers to their account numbers, usernames and actual names.
With the help a brute-force algorithm and a network of bots, malicious actors could have leveraged the flaw to bypass data security protections and gain access to information that they could have used to build a searchable database of users for future attack campaigns, according to Forbes reporter Zak Doffman in an article published earlier today.
The flaw was discovered by an Israeli hacker with the Twitter handle @ZHacker1, who says he privately disclosed the issue to Facebook back in early August. However, @ZHacker1 claimed that the social media giant was not acting with urgency to address the problem. Doffman last week contacted Facebook, which reportedly confirmed the vulnerability and shortly thereafter issued its fix.
The vulnerability resided specifically within the Instagram platform’s contact importer feature, and could have been exploited via a two-step process. First, an attacker would have had to use a brute-force algorithm Instagram’s login form to enumerate through random phone numbers to see which ones are actually associated with active accounts. According to @ZHacker13, a single machine running said algorithm could query roughly 15,000 numbers, which on average would return around 1,000 numbers with valid accounts. However, there are no limits in terms of running multiple instances of the algorithm.
The next step involves abusing Instagram’s Sync Contacts feature to link the brute-forced phone numbers with their corresponding account names and numbers, along with their associated user information. Forbes reports that attackers could have used automated bots to abuse this process.
“A bot sets up a new account, and Instagram then asks the new user (our bot) whether it wants to sync their contacts. Ordinarily this would return a mass of account numbers and names, with no ability to link those account details to phone numbers. But, if the contact list has a single number in it, then it will return the linked details,” Doffman explains.
Although the ability to sync contacts was limited to just three individual users per day, there was nothing to stop an attack from running multiple bots simultaneously on one machine in order to collect details on more users and rack up a database of potential targets for future attacks.
In response to this issue, “We’ve made a change to the contact importer on Instagram to help prevent the kind of abuse outlined by the researcher and will reward him in line with our policies,” a Facebook spokesperson said in a statement issued to SC Media. The statement does not elaborate further on how Facebook fixed the issue, but the company reportedly told @ZHacker13 at one point that it was working on enforcing stricter rate limits.
Reportedly, Facebook had originally refused to reward @ZHacker with a bug bounty because the company claimed its team was already aware of the issue prior to the hacker’s disclosure. However, Doffman says he convinced Facebook to change its mind.
Facebook has repeatedly been the subject of recent criticism for various data security and privacy controversies, including a breach discovered in September 2018 and the Cambridge Analytica scandal. Just last week, security researcher Sanyam Jain recently found unprotected databases that exposed information on more than 419 million Facebook users. In this particular case, however, the servers belonged to a third party and the data was collected before Facebook took steps to restrict access to such information.
“Once again, Facebook is in the news for the wrong reason,” said Vinay Sridhara, CTO at Balbix, in emailed comments. “Exploiting the Instagram vulnerability would allow a threat actor to obtain access to up to date phone numbers and other pieces of information for potentially all users – in theory. Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim.”
“There is an important distinction between what a user chooses to make public, such as a unique handle or username, and the personally identifiable information (PII) that they use to create accounts,” said Anurag Kahol, CTO of Bitglass. “When individuals make user profiles for any given service, they trust that their PII will be kept secure… While there are no signs that credentials were leaked or data was stolen by hackers, users could have had their accounts and information exposed if a researcher hadn’t found the issue and intervened.”