A researcher hacks into Instagram to reveal a flaw and he may be still screwed.
Every now and then a student comes into ethical hacking and his starting question is this..”Sir, how do I hack my friends’ facebook account?”. As menial and snooze-worthy this question is, a teacher is always afraid that this just might happen and voila, this just happened. Instagram got its first hackjob and facebook is not happy about it. Even if it was a report of the server security, even if it was responsible, big conglomerate don’t want their flaws to be known.
After the reveal of vulnerability in security and configuration flaws in Instagram that allowed the ethical hacker access to sensitive on the servers that included
- Source code of Instagram
- Details of Instagram user as well as employees
- Authentication Cookie keys
- And many more goodies
but like the saying “no good deed goes unpunished” all he got from this action is a lawsuit threat and no reward.
The researchers’ name is Wesley Weinberg. Wesley Weinberg here is a security researcher at Synpack. Now he participated in the facebooks’ bug bounty program and started keeping a close eye at Instagram after one of his buddies directed him towards the vulnerable box of information called sensu.instagram.com. You see the irony here, facebook itself put the bounty and then is threatening to sue him for just being good at it. Ooh! Such injustice!
But what DID he find?
Well, he found a Remote Code Execution bug that was itself responsible for two major weaknesses:
- The app running the server had hard-coded Ruby Token imprinted inside
- the host running Ruby ver 3.x was susceptible to code execution…meaning this bitch is programmable by an outsider.
And the server threw up all sorts data such as login details, including Instagram and facebook employee credentials(One of them is bound to be fired). Even the passwords that were encrypted with Bcrypt got taken out by Wesley. But that’s the users’ fault, having passwords like password, changeme, passwd doesn’t do anyone good.
Selfies exposed…Oh no! he Didn’t!!
There was no stopping of the Wesley force. For his hacks into Instagram prompted him to find more…. a LOT more. He found all the damn keys that at first didn’t reveal much, but a closer Wesley look found the keys of all the 82 Storage units of sensu setup. Damn son!
In return, he gets threats and no reward
But the responsible report from Wesley Weinberg apparently got him threats of firing and lawsuit rather than the reward he was promised. He got disqualified from the bounty because the access of private documents doesn’t come under the bounty…IN WHAT UNIVERSE FACEBOOK?! IN WHAT UNIVERSE?! That’s’ not all, OOHH NO! His boss apparently got a scary call from Alex Stamos , the facebook security chief to FIRE Wesley! Although, this was straight up denied by him in social media afterward.
The response the Social media giant……Facebook!
Facebook claims that the other claims made by Wesley who claimed the bullying from facebook are all false. Never thought I would write this sentence…in like ever. However, they did say that they are aware of the RCE bug and would have given the reward to Wesley and his friend if they had not peeped into the personal documents. Its’ really petty coming from a billion dollar conglomerate bitching over $2500. But that’s how rich are rich! So this is the news for the hacks into Instagram .