A new bug in the Instagram API has just been located.
The Instagram API has been on the spot for some time now. About eight months ago, Instagram published two API fixes on previously reported issues via their bug tool. The bugs were rather innocent compared to the one that was just spotted by David Sopas, a security researcher at WebSegura.
The current bug is a reflected filename download bug, and exists within the public Instagram API. Sopas discovered the flow as he managed to produce a file download link which seemed to be hosted on a legitimate Instagram domain.
The Instagram API flow could conveniently serve a cybercriminal by enabling him to infect the victim’s system in the following way: Let’s say the cybercriminal hosts a malicious file at a location of a choice which could be a link to a page he controls, for example. The malicious link will look completely legit and when the attacker sends a message containing that link, the user would naturally trust the source and download the file which will appear as if it comes from a true Instagram domain.
In a post Sopas wrote at WebSegura, he said,
“This time I found a RFD on Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account. What we need? A token. No worries we just need to register a new user to get one.”
The public API for Instagram is owned by Facebook, but Sopas explained that Facebook security engineers were not convinced that RFD issues are serious security vulnerabilities.
And, although “RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” according to him, neither Facebook, nor many other companies are taking the RFD issues under a serious consideration.