Hacking NewsOther

Hackers Successfully Reached Instagram Services Through RCE Vulnerability

Wesley Wineberg, an independent security researcher who participated in the search program bug Facebook, Instagram managed men crack defense and almost get full control over the service. As soon as white hate hacker revealed vulnerability to Facebook, the company threatened to sue, instead of paying compensation to him.

Wineberg began research Instagram system to follow the advice he received from a friend, that sensu.instagram.com Web page is an administration panel for Instagram and services available to the public via the Internet.

USING THE RESEARCHERS’s security administrator back-end ACCESS PANEL



Researchers to quickly track down the software used to run the administration panel of the (Sense-Admin), and use the older research that says the software may be vulnerable to RCE (Remote Code Execution), he finally managed to break the service and access to one of the configuration file which contains commands for Sense PostgreSQL database.
In this database, Wineberg found more than 60 accounts belonging to employees of Instagram and Facebook. He followed the investigation by taking a string password, is encrypted through bcrypt, and proceeded to break it.
Since they use some pretty weak passwords (for example: changeme, instagram, password), the results of cracking appeared in a few minutes, and he was quickly able to continue the investigation little buggy, with the entrance on the interface sensu.instagram.com.
But the white hat hacker Wineberg not stop here, and he also saw other configuration file that he found on the server. Here, in one of the files, he found the key to access to the account AWS (Amazon Web Services), which is then used to access several S3 buckets (data storage unit).
Wineberg has deliberately found the source Instagram, SSL certificates, keys other APIs used to interact with other services, the user image, static content from the web instagram.com, or as a researcher he has found it all: “EVERYTHING”
But here is where the adventure ends, considering himself a white hat hacker or system vulnerability researcher, and also because of the limitations of the search program Facebook bug, he must stop before any real damage to the service.
He revealed his findings to the Facebook security staff, but the conversation did not go as he expected, and instead of receiving a reward of up to hard work, Wineberg ignored and reprimanded by the company’s employees.
Facebook CSO (Chief Security Officer), even secretly calling Wineberg and threatened to sue, unless Wineberg remain silent about his findings and delete all the data that he might have.
After pressure, and mafia-like behavior exhibited by Facebook, the White Hat Hacker decided to go public with his findings, and wrote a blog post in which he gives second technical details to reproduce the bug and conversations with Facebook’s security division.
“In my opinion, the best action is to be transparent with all of the findings and my interaction,” said Wineberg as quoted Hack read. “I do not want to embarrass any individual or company, but I believe that I am in this situation totally inappropriate.”
Earlier this year, Wineberg received a $ 24,000 reward to find security vulnerabilities in Microsoft’s Live.com service.


Quoting from  THN, after original publication by the security experts, Facebook issued a response, saying their false claims and Weinberg was never told not to publish his findings, not only required not to disclose non-public information that is accessible.
Social media giant confirmed the existence of a bug in the domain RCE sensu.instagram.com and promised to give $ 2,500 as a reward for Weinberg and his friend (who originally said that a publicly accessible server).
However, other vulnerabilities that allow Weinberg to gain access to sensitive data does not qualify, with Facebook saying it violates the privacy of users while accessing data.
It seems there is a threat of the Facebook cover-up by the Facebook himself because of threats they have been exposed to the public.


Related Articles

Back to top button