A few months ago while I was playing with my smartphone, I decided to intercept traffic to see what it was sending. The first thing that caught my attention was the iOS Instagram app. For some reason, the app sent a request using a Facebook access token through an HTTP plain-text communication.
Here is the original request that I intercepted from the Instagram app:
POST /api/v1/fb/find/?include=extra_display_name HTTP/1.1
Host: instagram.com
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 337
Content-Type: multipart/form-data; boundary=Boundary+0xAbCdEfGbOuNdArY
Accept-Language: en;q=1, es-MX;q=0.9, fr;q=0.8, de;q=0.7, zh-Hans;q=0.6, zh-Hant;q=0.5
Cookie: ccode=AR; csrftoken=dab2c8d0c4fd28627ac9f2a77fa221d2; ds_user_id=1045525821; igfl=testlocura; is_starred_enabled=yes; mid=UuvAbgAAAAHj6L0tnOod5roiGYnr; sessionid=IGSC3aaf1427aa901bb052263b368642a34fe59897cba046682b7d95775ae70db64d%3AioaQSiHdJ61kCjuRaAD9sEJTEWXv6dqB%3A%7B%22_token%22%3A%221045525821%3Au91J1dZgsiJCBo0QVeF98nkohO0TV928%3A70d9eee5449941dc80fb238991e191f8f33cac5c98c1b078d86975b07979531d%22%2C%22last_refreshed%22%3A1392496331.661547%2C%22_auth_user_id%22%3A1045525821%2C%22_auth_user_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22%2C%22_platform%22%3A0%7D
Connection: keep-alive
User-Agent: Instagram 5.0.2 (iPhone5,3; iPhone OS 7_0_4; en_US; en) AppleWebKit/420+
–Boundary+0xAbCdEfGbOuNdArY
Content-Disposition: form-data; name=”fb_access_token”
CAABwzLixnjYBAE71ZAmnpZAaJeTcSqnPSSvjEZA0CqIokUOj60VkZCOhuZCy4dT6TlcG9OpbMIO7dJnGiROm7XFEnRj….
–Boundary+0xAbCdEfGbOuNdArY–
After a quick review, I determined that the request was sent when I clicked on the Facebook Friends button, which allows users to search for friends from their Facebook account.
As an aside, an access token is an opaque string that identifies a user, app, or page. It can be used to perform certain actions on behalf of the user or to access the user’s profile. Each access token is associated with a select set of permissions that allow users to perform actions, such as reading their wall, accessing friend profiles, and posting to their wall.
In this case, these permissions were granted to the access token:
- installed
- basic_info
- public_profile
- create_note
- photo_upload
- publish_actions
- publish_checkins
- publish_stream
- status_update
- share_item
- video_upload
- user_friends
Potential Risk
Sending a request using access token through a plain-text communication poses a potential risk. An attacker who can intercept the app’s traffic and acquire access tokens can gain access to Facebook user accounts and manipulate their walls and access personal information.
If you use Instagram on a public WiFi, then someone might access your Facebook account and hack it.
Conclusion
Third-party apps that use these access tokens to associate users with their Facebook accounts should take extra precautions to protect their integrity and confidentiality. This will help avoid potential risks of leaking user information.
Instagram already fixed the vulnerability mentioned in this blog post.
Ariel Sanchez
For more information, see advisory: http://www.ioactive.com/pdfs/IOActive_Advisory_Instagram.pdf