Researcher discovers Instagram leak and gets into conflict with Facebook




Security Researcher Wesley Wineberg discovered during a bug bounty program a vulnerability on an Instagram server, which provided access to highly sensitive data. Facebook then paid a modest fee, claiming that the researcher has gone too far.

Security Researcher Wesley Wineberg describes his version of the story on his blog. After he had identified a vulnerability in a server Instagram he decided to report his findings to parent company Facebook. The company paid him a reward amounting to $ 2500, converted 2300 euro. Wineberg was however encountered some interesting files, and also decided to investigate. According to him, he found himself when still within the rules of the bug bounty program from Facebook. This is where the positions of the two sides diverge. Facebook CSOs Alex Stamos suggests that anything until finding the leak on the Instagram server was done by the rules, but that Wineberg went then out of line. The site Forbes has an extensive section devoted to the conflict.

The findings of Wineberg started with a tip of a friend showed him a potentially vulnerable Instagram server. A Ruby app turned on the server called “Sensu-Admin” with an ingrained Rails secret token. Using this, the Wineberg succeeded after some research in order to fabricate a cookie him the possibility of remote code execution resulted in the Instagram server. This meant that he could in fact do anything with the server. This was the first time he presented his findings to Facebook imparted.

He found some interesting files on the cracked server, including one with bcrypt encrypted database with sixty Instagram- accounts and Facebook employees. Normally it would take some time to decrypt such files, but he decided to give it a shot. To his surprise, he had cracked after a few minutes twelve passwords, including ‘changeme’, ‘password’ and ‘instagram. The data found then gave him with a key to access various aws services, including S3 storage service from Amazon.

From there, he was able to find a new key pair in an old configuration file. This last key pair finally gave him access to 82 different buckets with many different, highly sensitive data. Wineberg talks about details such as the source code for current versions of the Instagram back end, ssl certificates and private keys for, credentials of an email server and social media APIs. He states himself that it would be false to claim that “it access to all the secret keys of Instagram ‘had.


In: A Technology & Gadgets Asked By: [20342 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »