Security consultant Arne Swinnen says Instagram has shuttered brute force authentication holes that allowed hijacking of some 20 million accounts. The NVISO infosec man says an absent authentication control coupled with an insecure direct object reference vulnerability meant attackers could commandeer some four percent of accounts held in a temporary lock state. Instagram owner Facebook paid Swinnen (@arneswinnen) $US5000 for reporting the holes, slinging a patch within 10 days of the disclosure earlier this month.
Tod Beardsley, Security Research Manager at Rapid7, told us that “the authentication issues found and reported by Arne Swinnen highlight the success of Facebook’s bug bounty program for its Instagram property. Given the combination of easy user enumeration — guessing valid user IDs — and evadable password guessing rate limiting — means that attackers could have hijacked thousands of Instagram accounts for the purpose of spamming and phishing attacks, undetected.
“Because Facebook and Swinnen worked together to identify and fix the rate limiting issues, Facebook gets to tell a positive story of better security moving forward. While Swinnen was the first to report, there is no guarantee that the researcher was the only person to discover these issues; Instagram users are encouraged to go above and beyond the minimum password requirements and change their passwords as soon as practical.”
Tod then went on to remind users of some of the key things to bear in mind when thinking about passwords: “The best passwords are as long as the service allows of purely random characters, and saved in a password manager such as Keepass, Onepassword, or Lastpass. While many sites limit password length to 10 or 12 characters, Instagram appears to allow extremely long passwords (over 40 characters), so users can take advantage of this to create passwords which are not guessable even in the face of a rate unlimited attack like the one described by Swinnen.”
View full story
ORIGINAL SOURCE: The Register