Security researchers discovered the Instagram vulnerability and was threatened by FaceBook executives

Security researchers discovered the Instagram vulnerability and was threatened by FaceBook executives

An independent security researcher claims that he has discovered a series of security vulnerabilities and configuration defects in Instagram. By exploiting these vulnerabilities, he successfully obtained access to sensitive data stored on the Instagram server. After reporting these vulnerabilities to related vendors, he was threatened by Facebook.
Have you ever wondered how to crack Instagram? Or how can I hack a facebook account? Well, now someone has done it! However, it is important to remember that even reporting a security vulnerability responsibly may cause them to take legal measures against you.
Vulnerability Analysis
An independent security researcher claims that he has discovered a series of security vulnerabilities and configuration defects in Instagram. By exploiting these vulnerabilities, he successfully obtained access to sensitive data stored on the Instagram server. After reporting these vulnerabilities to related vendors, he was threatened by Facebook. The sensitive data stored on the Instagram Server includes:
1. source code of the Instagram website
2. SSL Certificate and private key of Instagram
3. key used for signature and cookie Authentication
4. Private Information of Instagram users and employees
5. email server certificate
6. Keys with more than six other key functions
However, not only did Facebook not offer him a reward, but Facebook threatened to sue the study on the grounds that he intentionally concealed the vulnerability and information. Wesley weberger, a senior security researcher at Synack, participated in the Facebook bug rewards program. After one of his friends suggested that a vulnerability may exist on one of his sensu.instagram.com servers, he began to analyze the Instagram system.
The researchers discovered a remote code execution vulnerability that exists in the way Instagram processes user session cookies. These cookies are usually used to remember user login details. This remote code execution vulnerability may be caused by the following two defects:
1. The Sensu-Admin Web application running on the server contains a hard-coded Ruby key token.
2. Ruby (3.x) is running on the host. Ruby of this version is affected by the code execution vulnerability through Ruby session cookies.
With this vulnerability, weberger can force the server to spit out a database containing login details, including creden。 for Instagram and Facebook employees. Although these passwords are encrypted with "bcrypt", weberger can crack a large number of weak passwords (such as changeme, instagram, and password) within a few minutes ).
Expose all information, including your selfie
Weberger did not stop it. He carefully studied other configuration files found on the server, and found that one file contains keys of Some Amazon Web Service accounts and cloud computing services used to host Instagram Sensu settings.
These keys list 82 Amazon S3 buckets (storage units), but these buckets are different from each other. He does not find any sensitive information in the latest file in the bucket, but when he looks at the old file, he finds another key pair, you can use it to read the content of all 82 buckets.

Weberger accidentally discovered almost everything, including:
1. Source Code of Instagram
2. SSL certificates and private keys (including instagram.com and * .instagram.com)
3. API keys used for interaction with other services
4. Images uploaded by Instagram users
5. Static content on the instagram.com website
6. email server certificate
7. iOS and Android app signature keys
8. Other sensitive data

Responsible information disclosure, but Facebook threatens Litigation
Weberger reported his findings to Facebook's security team, but the social media giant worried that he had accessed the private data of its users and employees when the problem was discovered. Therefore, not only did weberger not receive Facebook rewards, but he was determined as unqualified by Facebook's Rewards program.
In early December, weberger claimed that his boss, Synack CEO Jay Kaplan, received a terrible call from Facebook's security director Alex Stamos, about the vulnerability weberger found in Instagram, this vulnerability exposes Instagram and Facebook users to devastating attack risks.
Weberger wrote in his blog titled "threats and intimidation:
"Stamos says he doesn't want Facebook's legal team to be involved, but he doesn't know if this is something he needs to solve through the Legal Department ."
In response, Stamos issued a statement saying that he "did not threaten to take legal action against Synack and weberger, nor did he request to dismiss weberger ." Stamos said he only told Kaplan that "the lawyers on both sides should not intervene in the case ."
Facebook response
After the researchers posted their first blog post, Facebook issued a response, claiming that the blame for the other party was purely false and that it did not warn weberger that he could not post his findings, instead, he was asked not to disclose the private information he accessed.
The social media giant confirmed that the sensu.instagram.com domain name does have a remote code execution vulnerability and promised weberger and his friends a $2500 vulnerability prize. However, other vulnerabilities that allow weberger to obtain access to sensitive data are not qualified. Facebook says weberger has accessed private data in violation of user privacy.