Wesley Weinberg, A Security Researcher Successfully Hacked into Instagram Admin Panel!

Mr. Weinberg began Instagram systems research following the advice he received from a friend, the Web page sensu.instagram.com, an administration panel for the services of Instagram, was available to the public via Internet and it seems not available now.

Also Read: Schedule For Facebook Hacker Cup 2016

Instagram Hacked - White-Hat Hacker Got Access to Admin Panel!

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users’ log-in details.
 Instagram Hacked - White-Hat Hacker Got Access to Admin Panel!

The expert confirmed to have had access to the following information:

  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions

Instagram Hacked - White-Hat Hacker Got Access to Admin Panel!

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram’s Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.

To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement, with the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data.

 

Instagram Hacked – Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

 

Full Statement from Facebook

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.