Someone just hacked into the servers of Instagram, showing the most secure mechanisms also have bugs.
But you don’t try to do anything like this because even reporting the security vulnerability can end up in taking a legal action against you.
A security researcher gained the access to sensitive data stored on Instagram servers, and he claims that even after responsibly reporting all the security vulnerabilities he was threatened by Facebook. He hacked almost everything of the Instagram including:
- Source Code of Instagram
- SSL Certificates and Private Keys for Instagram
- Keys used to sign authentication cookies
- Personal Information of Instagram users and Employees
- Email Server Credentials.
And then what happened was just unexpected by Facebook, instead of paying him a reward Facebook has threatened to prosecute the researcher for intentionally withholding flaws and information from its team.
It all started when the senior security researcher Weinberg at Synack participated in Facebook’s bug bounty and started analysing the system of Instagram and one of his friend hinted him of the vulnerable server at sensu.instagram.com.
The researchers later found an RCE (Remote Code Execution) bug when they were analysing the users’ cookies that are generally used to remember the users’ log-in details.
And when the researchers exploited the vulnerability it gave them the access to the database containing login details, including credentials of Instagram and Facebook users. Although the passwords were encrypted by ‘bcrypt’ even then Weinberg was able to crack some simple passwords in just a few minutes.
Instagram Hacked: The Facebook Response
After the publication of the vulnerabilities, Facebook in its response said the claims are false and Weinberg was never told not to publish his findings, he was just asked not to publish the non-public information he accessed while hacking.
Facebook confirmed the existence of Remote Code execution in the sensu.instagram.com and promised the bug bounty of $2,500 to Weinberg and his friend. However the vulnerabilities which allowed Weinberg to access the private data of the users were not qualified and rejected by Facebook saying that he violated the users’ privacy.
The full statement of Facebook is below:
We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.
We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.
Have something to add to Instagram Hacked ?? share it in comments .
Follow us on Facebook, Google Plus and Twitter.