Researcher discovers Instagram leak and comes into conflict with Facebook
Security researcher Wesley Wineberg discovered a vulnerability on an Instagram server during a bug bounty program that allowed access to highly sensitive data. Facebook then paid a modest fee, claiming the researcher went too far.
Security researcher Wesley Wineberg describes his version of the story on his blog. After identifying a security vulnerability on an Instagram server, he decided to report his findings to parent company Facebook. The company paid him a reward of $2,500. However, Wineberg had come across some interesting files and decided to investigate further. He said he was still within the rules of Facebook’s bug bounty program at the time. This is where the positions of the two sides diverge. Facebook CSO Alex Stamos states that everything that happened up to the discovery of the leak on the Instagram server was according to the rules, but that Wineberg went beyond his means afterwards. The Forbes site has an extensive article devoted to the conflict.
Wineberg’s findings started with a tip from an acquaintance who pointed him to a potentially vulnerable Instagram server. A Ruby app was running on the server called ‘Sensu-Admin’ with an embedded secret Rails token. Using this, Wineberg, after some research, was able to fabricate a cookie that gave him the ability to perform remote code execution on the Instagram server. This meant that he could basically do anything with the server. This was the first time he shared his findings with Facebook.
He found some interesting files on the hacked server, including a bcrypt-encrypted database containing 60 Instagram and Facebook employee accounts. Normally it would take some time to decrypt such files, but he decided to give it a try. To his surprise, after a few minutes he had already cracked twelve passwords, including ‘changeme’, ‘password’ and ‘instagram’. The found data then gave him access to several aws services with a key, including an S3 storage service from Amazon.
From there he was able to find a new key pair in an old configuration file. This last key pair eventually gave him access to 82 different buckets containing all sorts of different, highly sensitive data. Wineberg talks about data such as source code for recent versions of the Instagram backend, SSL certificates and private keys for instagram.com, email server credentials, and social media APIs. He himself states that it would not be untrue to claim that ‘he had access to all the secret keys of Instagram’.