Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!
But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.
An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:
- Source Code of Instagram website
- SSL Certificates and Private Keys for Instagram
- Keys used to sign authentication cookies
- Personal details of Instagram Users and Employees
- Email server credentials
- Keys for over a half-dozen critical other functions
However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.
Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com
The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.
Remote code execution bug was possible due to two weaknesses: The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.
Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.
Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like change me, instagram, password) in just a few minutes.