Instagram Patches Brute-Force Authentication Flaws

Facebook on Thursday patched a pair of 

vulnerabilities that enabled brute-force attacks 

against Instagram passwords, and also hardened its

password policy. 


Researcher Arne Swinnen privately disclosed the 

flaws in December and in February 

respectively. One bug was patched in February, 

while the other went through two rounds of 

fixes before the issue was resolved on May 10. 

Swinnen received a combined $5,000 

bounty.



The severity of the vulnerabilities was exacerbated

by Instagram’s weak password policies 

and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal 

effort, Swinnen said. 


“This could have allowed an attacker to compromise many accounts without any user 

interaction, including high-profile ones,” Swinnen wrote in a report describing details of both

vulnerabilities. 


In response, Instagram no longer allows simple passwords, and now requires a combination

of numbers, letters and punctuation, and recommends that Instagram passwords not be 

used elsewhere online. 


A number of factors put Instagram accounts at risk in addition to the use of incremental 

userIDs and weak password policy, most notably that two-factor authentication has been 

available only since February and many don’t use it, and there is still no account lockout 

policy in place Swinnen said.


The first bug affected the Instagram Android application, and allowed for a bypass of SSL

pinning in the app. SSL pinning, or certificate pinning, is a mitigation for man-in-the-middle 

attacks that adds an extra step to certificate validation ensuring it’s trustworthy. 


“In order to modify and attack this endpoint communication, a key had to be phished from 

the Android application, which is used to generate a HMACSHA256 signature over the 

POST parameters of every outgoing request,” Swinnen said. 


He describes in his post that he wrote a Burp plugin that carries out a brute force against the

mobile authentication endpoint. He found that he could make up to 1,000 guesses from the

same IP address before a “username not found” rate-limiting message was returned. 


“However, only the next consecutive 1,000 guesses resulted in the ‘username not found’ 

response error message,” he said. “From the 2,000th consecutive guess onward, a reliable

response (password correct/incorrect) was followed by an unreliable one (user not found). 


“This allowed a reliable brute-force attack, since an attacker could reason on the reliable 

response messages and simply replay the unreliable ones until a reliable answer was 

received,” Swinnen said.The only limitation of this attack was that on average, 2 

authentication requests had to be made for one reliable password guess attempt.” 


Facebook patched this flaw by addressing the rate-limiting feature. 


The second bug allowed for another trivial brute-force attack against the Instagram web 

registration endpoint that did not trigger an account lockout or other security controls, he 

said. He replayed the initial successful request but first removed the username and 

password parameters and monitored the responses. He was able to try more than 10,000 

times before sending over the correct password and getting an affirmative response from 

the page. Facebook’s patch involved the introduction of rate-limiting, however the initial 

patch released in February was ineffective, Swinnen said, and Facebook went back to the 

drawing board before shoring things up 10 days ago.