An information security bug-bounty hunter discovered a way to brute force Instagram accounts by taking advantage of a series of flaws in the social media site and its users that could possibly have exposed millions of accounts.
Researcher Arne Swinnen found four specific areas where Instagram's poor security arrangements, that when combined with the average person's refusal to create complex passwords, meant the photo sharing site's accounts were extremely vulnerable. All of the problems have been patched by the Facebook-owned site.
The first issue noted by Swinnen was that Instagram member's usernames are public and enumerable through the incremental user IDs. The next problem is the site's weak password policy that only enforced a minimum length of six characters allowing members to choose the always popular “123456” and “password” if they desired, he said in his blog.
This minimum was allowed even though Instagram system can handle much longer passwords, Tod Beardsley, security research manager at Rapid7, told SCMagazine.com in an email.
“While many sites limit password length to 10 or 12 characters, Instagram appears to allow extremely long passwords (over 40 characters), so users can take advantage of this to create passwords which are not guessable even in the face of a rate unlimited attack like the one described by Swinnen,” Beardsley said, adding that a user should always use the longest allowable password. Although, he noted this would require the use of password management software.
Swinnen next pointed out that Instagram did not institute a two-factor authentication (2FA) program until February and has still not rolled it out globally.
Mike Raggo, ZeroFOX chief research scientist, applauded the addition of 2FA, “The addition of two-factor authentication is also a nice move to deterring account theft, and we've seen other social media services make similar moves. In short, these are critical steps in fortifying the Instagram service for its users.”
The final flaw, and the one that most enabled Swinnen to brute force Instagram, was the site's lack of an account lockout policy, which only allows a user a set number of login attempts before the account is locked.
The code Swinnen created to brute force the site was able to make thousands of guesses winnowing down the results until the correct combinations were found.
It is imperative that social media outlets like Facebook and Instagram maintain high levels of security as cybercriminals are singling out these type of sites due to the large amount of actionable data they contain.
"With Instagram now "tethered" to Facebook, the attack surface becomes much larger with advanced cyber criminals and nation states targeting user credentials and profiles to exploit trust amongst and within the social media circles that account to approximately 40% of the global online user population. Once trust can be exploited, your identity and persona can be used for a multitude of nefarious activities," Peter Tran, RSA's general manager and senior director – Worldwide Advanced Cyber Defense Practice told SCMagazine.com in an email.
From start to finish it took Swinnen and Facebook almost five months to report and fix the problems.
Swinnen, who earned $5,000 for his reports, issued his first bug report to Facebook on Dec. 28, 2015, with a follow report up being posted on February 2. On February 11 Facebook confirmed that the second reported bug was patched with the second being fixed two days later. However, Swinnen told Facebook on April 4 that the fix for the second issue was not effective forcing Facebook to make a change and re-patch the problem on May 10. Swinnen deemed this fix working on May 19 and everything was then made public.