Friday, 20 May 2016
On 23:47 by admin No comments
Facebook on Thursday patched a pair of
vulnerabilities that enabled brute-force attacks
against Instagram passwords, and also hardened its
password policy.
Researcher Arne Swinnen privately disclosed the
flaws in December and in February
respectively. One bug was patched in February,
while the other went through two rounds of
fixes before the issue was resolved on May 10.
Swinnen received a combined $5,000
bounty.
The severity of the vulnerabilities was exacerbated
by Instagram’s weak password policies
and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal
effort, Swinnen said.
“This could have allowed an attacker to compromise many accounts without any user
interaction, including high-profile ones,” Swinnen wrote in a report describing details of both
vulnerabilities.
In response, Instagram no longer allows simple passwords, and now requires a combination
of numbers, letters and punctuation, and recommends that Instagram passwords not be
used elsewhere online.
A number of factors put Instagram accounts at risk in addition to the use of incremental
userIDs and weak password policy, most notably that two-factor authentication has been
available only since February and many don’t use it, and there is still no account lockout
policy in place Swinnen said.
The first bug affected the Instagram Android application, and allowed for a bypass of SSL
pinning in the app. SSL pinning, or certificate pinning, is a mitigation for man-in-the-middle
attacks that adds an extra step to certificate validation ensuring it’s trustworthy.
“In order to modify and attack this endpoint communication, a key had to be phished from
the Android application, which is used to generate a HMACSHA256 signature over the
POST parameters of every outgoing request,” Swinnen said.
He describes in his post that he wrote a Burp plugin that carries out a brute force against the
mobile authentication endpoint. He found that he could make up to 1,000 guesses from the
same IP address before a “username not found” rate-limiting message was returned.
“However, only the next consecutive 1,000 guesses resulted in the ‘username not found’
response error message,” he said. “From the 2,000th consecutive guess onward, a reliable
response (password correct/incorrect) was followed by an unreliable one (user not found).
“This allowed a reliable brute-force attack, since an attacker could reason on the reliable
response messages and simply replay the unreliable ones until a reliable answer was
received,” Swinnen said.The only limitation of this attack was that on average, 2
authentication requests had to be made for one reliable password guess attempt.”
Facebook patched this flaw by addressing the rate-limiting feature.
The second bug allowed for another trivial brute-force attack against the Instagram web
registration endpoint that did not trigger an account lockout or other security controls, he
said. He replayed the initial successful request but first removed the username and
password parameters and monitored the responses. He was able to try more than 10,000
times before sending over the correct password and getting an affirmative response from
the page. Facebook’s patch involved the introduction of rate-limiting, however the initial
patch released in February was ineffective, Swinnen said, and Facebook went back to the
drawing board before shoring things up 10 days ago.
vulnerabilities that enabled brute-force attacks
against Instagram passwords, and also hardened its
password policy.
Researcher Arne Swinnen privately disclosed the
flaws in December and in February
respectively. One bug was patched in February,
while the other went through two rounds of
fixes before the issue was resolved on May 10.
Swinnen received a combined $5,000
bounty.
The severity of the vulnerabilities was exacerbated
by Instagram’s weak password policies
and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal
effort, Swinnen said.
“This could have allowed an attacker to compromise many accounts without any user
interaction, including high-profile ones,” Swinnen wrote in a report describing details of both
vulnerabilities.
In response, Instagram no longer allows simple passwords, and now requires a combination
of numbers, letters and punctuation, and recommends that Instagram passwords not be
used elsewhere online.
A number of factors put Instagram accounts at risk in addition to the use of incremental
userIDs and weak password policy, most notably that two-factor authentication has been
available only since February and many don’t use it, and there is still no account lockout
policy in place Swinnen said.
The first bug affected the Instagram Android application, and allowed for a bypass of SSL
pinning in the app. SSL pinning, or certificate pinning, is a mitigation for man-in-the-middle
attacks that adds an extra step to certificate validation ensuring it’s trustworthy.
“In order to modify and attack this endpoint communication, a key had to be phished from
the Android application, which is used to generate a HMACSHA256 signature over the
POST parameters of every outgoing request,” Swinnen said.
He describes in his post that he wrote a Burp plugin that carries out a brute force against the
mobile authentication endpoint. He found that he could make up to 1,000 guesses from the
same IP address before a “username not found” rate-limiting message was returned.
“However, only the next consecutive 1,000 guesses resulted in the ‘username not found’
response error message,” he said. “From the 2,000th consecutive guess onward, a reliable
response (password correct/incorrect) was followed by an unreliable one (user not found).
“This allowed a reliable brute-force attack, since an attacker could reason on the reliable
response messages and simply replay the unreliable ones until a reliable answer was
received,” Swinnen said.The only limitation of this attack was that on average, 2
authentication requests had to be made for one reliable password guess attempt.”
Facebook patched this flaw by addressing the rate-limiting feature.
The second bug allowed for another trivial brute-force attack against the Instagram web
registration endpoint that did not trigger an account lockout or other security controls, he
said. He replayed the initial successful request but first removed the username and
password parameters and monitored the responses. He was able to try more than 10,000
times before sending over the correct password and getting an affirmative response from
the page. Facebook’s patch involved the introduction of rate-limiting, however the initial
patch released in February was ineffective, Swinnen said, and Facebook went back to the
drawing board before shoring things up 10 days ago.
Subscribe to:
Post Comments (Atom)
Search
Featured post
27 good hacker documentary
In the eyes of most people, a group of hackers usually extremely boring nothing interesting people, and that if only the computer code in ...

0 comments:
Post a comment