The researcher who hacked Instagram claims he was threatened by Facebook after he responsibly reported a series of security issues.
Every platform is potentially hackable, even the armored Facebook and Instagram and the independent security researcher Wesley Weinberg has demonstrated it.
Of course, if the hackers ethically report the flaw to the company usually nothing happen, but the story I'll tell you seems to end up in taking legal actions against the expert.
The researcher Weinberg independent security researcher claims he was threatened by Facebook after he responsibly reported a series of security vulnerabilities and configuration flaws that allowed him to gain access to Instagram servers.
The expert confirmed to have had access to the following information:
- Source Code of Instagram website
- SSL Certificates and Private Keys for Instagram
- Keys used to sign authentication cookies
- Personal details of Instagram Users and Employees
- Email server credentials
- Keys for over a half-dozen critical other functions
Usually, experts that ethically report the vulnerabilities discovered are rewarded by the companies, but Facebook decided to sue the researcher of intentionally withholding flaws and information from its team.
Weinberg was analyzing Instagram systems after one of his friends suggested him to target potentially vulnerable server located at sensu.instagram.com.
The researcher discovered an RCE (Remote Code Execution) in the users' session cookie management.
According to Weinberg, he exploited the Remote code execution vulnerability in Instagram system due to two weaknesses:
- The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token.
- The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.
Weinberg was able to access a database containing login details, including credentials, of both Instagram and Facebook employees.
The good news is that passwords were protected by bcrypt, but Weinberg was able to crack at least a dozen of weak passwords (i.e. instagram, password) in just a few minutes.
The expert then focused its efforts on the configuration of the server and discovered that one of the files contained some keys for Amazon Web Services accounts used by Istagram as data storage.
"These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets." state THN.
Weinberg has compromised the entire architecture of Instagram, he gained access to the platform source code, SSL certificates and private keys (including for instagram.com and *.instagram.com), API keys, users' images, static content from the instagram.com website, email server credentials, iOS/Android app signing keys and much more.
"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Weinberg wrote in his blog. "With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user's account, [personal] pictures and data."
Weinberg reported his findings to Facebook, but the company reacted badly due to the exposure of employees' data and excluded the expert from the bug bounty program.
In early December, Weinberg claims Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the vulnerability discovered by Weinberg. Stamos sustains that the expert opened the users to cyber attack compromising the security of the entire platform.
"Alex informed my employer (as far as I am aware) that I had found a vulnerability, and had used it to access sensitive data. He then explained that the vulnerability I found was trivial and of little value, and at the same time said that my reporting and handling of the vulnerability submission had caused huge concern at Facebook. Alex then stated that he did not want to have to get Facebook's legal team involved, but that he wasn't sure if this was something he needed to go to law enforcement over." Weinberg explained a blog post.
Stamos issued a statement, saying he "did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired."
Stamos published a post entitled "Bug Bounty Ethics" to reply Weinberg
"I told Jay that we couldn't allow Wes to set a precedent that anybody can exfiltrate unnecessary amounts of data and call it a part of legitimate bug research, and that I wanted to keep this out of the hands of the lawyers on both sides. I did not threaten legal action against Synack or Wes nor did I ask for Wes to be fired. I did say that Wes's behavior reflected poorly on him and on Synack, and that it was in our common best interests to focus on the legitimate RCE report and not the unnecessary pivot into S3 and downloading of data." Stamos wrote.
"Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk," he added.
Facebook assumed another position on the events, its security team says that Weinberg was never authorized to publish non-public information he accessed.
Facebook admitted the presence of the flaw and promised a $2,500 reward to Weinberg and his friend, but according to the company the expert has gone too far.
Beloo the full statement issued by Facebook:
"We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.
We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn't pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers' hard work."