Connect with us

Technology

Bug Bounty Hunter Paid $30k For Discovering Instagram Vulnerability

The vulnerability, if not patched, could allow hackers to take over Instagram accounts in 10 minutes.

Photo: Laxman Muthiah | ZeroHacks.com

Published

on

ad1

Facebook-owned photo-sharing platform, Instagram, has recently patched up a vulnerability discovered through its bounty program, which, if left unresolved, would allow hackers to take over accounts of users in a matter of ten minutes.

The vulnerability was discovered by Indian bug bounty hunter Laxman Muthiah, which lies inside the app’s password recovery mechanism implemented by the mobile version of Instagram.

Majority of apps and software has an option to “recover password” or gives the option to user to “reset passwords.” According to Muthiah, a flaw in Instagram’s password recovery mechanism can allow threat actors to hack into an Instagram account.

“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability. I tried to reset my password on the Instagram web interface. They have a link based password reset mechanism which is pretty strong, and I couldn’t find any bugs after a few minutes of testing,” Muthiah said in a blog post.

Instagram’s mechanism works rather straightforwardly. After a user requests for a password reset (usually in cases where the user forgets his or her password), they have to confirm a six-digit secret passcode (that expires after 10 minutes) sent to their associated mobile number or email account to prove their identity.

However, mathematics suggest that there is, indeed, a finite number of six-digit passcodes and combinations. But the researchers said it isn’t as simple as trying every combination from millions of possibilities, as while this is an arduous process even with the help of a certain tool. Instagram also has limited the number of attempts to prevent hackers from doing so.

“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we can try all the one million codes on the verify-code endpoint, we would be able to change the password of any account. But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it.”

However, Laxman found that this rate limiting can be bypassed by sending brute force requests from different IP addresses and leveraging race condition, sending concurrent requests to process multiple attempts simultaneously.

“Race hazard (concurrent requests) and IP rotation allowed me to bypass it. Otherwise, it wouldn’t be possible. Ten minutes expiry time is the key to their rate limiting mechanism, that’s why they didn’t enforce permanent blocking of codes,” he said.

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of [requests] and the number of IPs we use. Also, I realized that the code expires in ten minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack,”

During the test, the researcher was able to use 1000 different machines (to achieve concurrency easily) and IPs to send 200,000 requests which 20 percent of total one million probability).

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”

The discovery of the vulnerability was submitted to Facebook’s bounty program, and Muthiah was granted a bounty of $30,000 for his work. Facebook confirms that the Muthiah’s discovery existed and has started working to fix the vulnerability among others that could potentially put their users at risk.

Facebook’s bug bounty program encourages white-hat hackers to discover and find ways that Facebook’s and its subsidiaries’ system can be exploited.

“Facebook is working constantly to improve its security controls on all of their platforms. As a part of it, they recently increased reward payouts for all critical vulnerabilities, including account takeovers. So I decided to try my luck on Facebook and Instagram. Fortunately, I was able to find one on Instagram,” Muthiah said in his post.

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama. I also own a cybersecurity blog called Zero Day.

Gadgets

Apple iPhone 11 rumored to unveil on September 10

A13 chips?

Published

on

ad1

The announcement date for the iPhone 11 is said to be found on the beta version of its new operating system. This news follows Apple’s release of iOS 13’s beta version to developers last August 15.

Within the seventh beta version of iOS 13, there is an asset labeled “HoldForRelease” that suggests the latest iPhone models could be announced on September 10. The image found in the systems files indicating the said date was first spotted by iHelpBR.

In 2018, just before the official event date for the iPhone was revealed, a similar leak happened to Apple. The leak indicated that the launch of the iPhone XS, iPhone XS Max, and iPhone XR would fall on September 12. The prediction proved to be correct.

Apart from the announcement date, there have been rumors that the newest iPhone line would be released on September 20. The president of Japan’s Softbank Ken Miyauchi implied that the new iPhones would be unveiled during the Apple keynote event on September 10, and they will be released to the market ten days after.

In the past four years, Apple has scheduled the release event in September. The Cupertino-based tech giant has been holding its iPhone event either on the second Tuesday or Wednesday of the month.

It is unlikely that Apple would be hosting the said event on September 11. This makes September 10 as the most probable date. If the rumor proves to be accurate, pre-ordering would most likely start on September 13, and shipping would begin a week after.

While Apple’s announcement is only a few weeks away, there have been leaks and tips regarding the names of the latest iPhones. According to phone case company, ESR, the newest phones would be called iPhone 11, iPhone 11 Pro, and the iPhone 11 Pro Max.

With the growing anticipation for the release of the 2019 Apple iPhone models, the question of what these smartphones can offer is brewing. Apple has recently experienced a 12% decrease in iPhone sales, and it has reported a dip in its quarterly profit as well.

Its rivals — Samsung, Google, and Huawei — recently released their latest smartphones, and they are priced cheaper compared to Apple’s recently released iPhones. With these issues at hand, Apple is expected to deliver a product that can attract new customers and keep its current users.

According to analysts, they don’t see major changes in the iPhone 11. The more extensive changes would be happening in 2020. This might include features like 5G support and 120Hz OLED Retina display.

One of the biggest changes being anticipated with the release of iPhone 11 is its camera set-up. In a Bloomberg report made in January 2019, it seems Apple would be giving at least one of the 2019 iPhone models three rear-facing lenses. This feature would allow the phone to take greater and better wide-angle shots.

The iPhone 11 is rumored to come in four different colors — gold, white, black, and dark green. There are also reports saying that Apple will be dropping the 3D Touch feature this year. Apple might be incorporating a new Haptic Touch technology dubbed as “leap haptics.”

If your other Apple device is running out of battery, the iPhone 11 might be able to give it some juice through its bilateral charging feature. Similar to Samsung’s Galaxy 10 phones, and their ability to power the Galaxy Watch Active and Galaxy Buds, you can use the iPhone 11 to charge the 2019 Apple AirPods or other iPhones.

There is a prediction going around that the 2019 iPhone models would include larger batteries. This means that there is a possibility that their battery life would be much better compared to the older iPhone models.

When it comes to the phone display, Apple is likely offering another LCD phone this year. In last year’s release, the iPhone XR had an LCD display while the iPhone XS and XS Max had high-resolution OLED displays.

With last year’s iPhone releases, the smartphones were equipped with the highly-powerful A12 Bionic chip. Rumors are saying that the iPhone 11 might be powered by a processor that’s quite similar to the one found in the iPad Pros called the A12X. Apple could also be using the new A13 chip.

Continue Reading

Cybersecurity

Kaspersky Antivirus zero-day could ironically allow hackers to track users

Kaspersky has already issued a patch to resolve the vulnerability.

Published

on

Photo: David Orban | Flickr | CC BY 2.0
ad1

A German journalist discovered a flaw in the system of Kaspersky Lab’s antivirus that led to a significant security risk which allowed cybercriminals to track Kaspersky customer without their knowledge.

This all started when Ronald Eikenberg began testing antivirus programs for his own publication. A few months later he discovered that on a website, Kaspersky’s antivirus has been injecting some code. Eikenberg said that it seems that Kaspersky is trying to find ways in interacting with the site even though there is no browser extension on the system.

“One of the purposes of the script is to evaluate Google search results displayed in the user’s browser. If a link is safe, the Kaspersky software will display a green shield behind it,” he added.

In this era, most of the companies and websites would require tracking users across the internet to identify them and learn their interest to provide the target advertisements to be shown to them. Usually, this would require 3rd-party cookies, and this would allow even Facebook or Google to track your movement throughout multiple websites.

The problem however when using Kaspersky Antivirus is that it exposes a user by tagging them with a unique identifier that will record and keep track of what you visited in the past four years, which would allow some sites and third-party services to track them even though users have already blocked them. This will be putting the users at risk since everything that the user does is being monitored or kept track of.

“That’s a bad idea because other scripts that run in the context of the website domain can access the HTML code at any time—and thus the injected Kaspersky ID. This means in plain language that any website can simply read the Kaspersky ID of the user and misuse it for tracking,” the researcher says.

Instead of using unique identifiers, they were given a specific ID assigned to a particular computer; thus, it does not change after several days.

This attack could lead to scamming people by either asking their personal information or bank account information through the form of a payment system. One good example would be that a pop-up will show up and say ‘your license has expired, please enter your credit card information to renew your subscription.’

This process would affect multiple users that are using Kaspersky Antivirus. 

There was a patch that was issued last month to update all Kaspersky antivirus program for all the user of a specific version. However, there is still a version of the security tool that still allows a malicious hacker to know that antivirus software is installed on the machine.

Another way to somehow mitigate the problem is to manually uncheck in the software settings depending on the situation that you feel you are being spied on.

Kaspersky has already removed the unique identifiers for the GET request to enhance somehow the process of checking web pages when it comes to malicious activity. The change was provoked by Eikenberg after he notified Kaspersky about the possible risk of personal information disclosure when using unique identifiers for the GET request.

A statement released by Kaspersky revealed that based on their research, there is a minimal chance that this could be carried out in practice, but it is theoretically possible to happen. The complexity of the program would help fend off the leak of private information and also its low profitability would somehow be a discouragement for the hacker. 

Nevertheless, the company would still need to improve their system in order to prevent further mishaps, the private information that should be protected by the company is a due responsibility that should not be taken short for. Thus it is a severe issue if Kaspersky does not resolve the problem at hand right away. 

On a brighter note, if users want to disable tracking altogether, they can manually disable the URL advisor feature from the settings – additional – network- uncheck traffic processing box. This procedure will allow the user to be safe and not be monitored for the meantime while using the said application.

Users of specific tools that sole purpose is to protect our information and protect the user, having this kind of issue will bring distraught to the public in trusting some of the protection programs to install on their devices.

Continue Reading

Gadgets

Huawei warns Trump of disrupting the dominance of Apple, Google

Huawei CEO said that if the U.S. government continues to deny them of using Android, they will be forced to use HongMeng OS on their new smartphones, disrupting the dominance of Google and Android.

Published

on

Photo by Kamil Kot on Unsplash
ad1

Huawei is poised to take over and disrupt the dominance of two long-standing tech giants in the smartphone industry, Google and Apple, and when pushed by the U.S. government to their last recourse if Washington continues denying the Chinese company access to the Android operating systems for their future smartphone products, it will have no choice but to fight against Google and Apple, which is bad for the U.S., Huawei CEO Ren Zhengfei warned.

Ren stated in an interview that if Google strips them from the Android operating system, then the world will know a third operating system. Ren also claimed that releasing a third operating system will not be the best choice for the two major companies since there will be more competition.

The blacklisting was announced last May, and since then, Huawei has been claiming to launch a new smartphone with a new operating system. The operating system, named HongMeng or Harmony OS, will be better than both the current operating system available, the tech giant said.

People have been wanting a better version of the smartphones that we are using now, instead what we got instead are clever phones that have low-latency, better smart-TVs and even watches that are able to connect to the internet.

Huawei claimed that they don’t have a “plan-B” if ever the banning of Google would happen, according to Ren. If ever Google is not used, they plan to shift HarmonyOS to be viable to smartphones, but it would take some time since the shift would require them to create a whole new system that would be on par when it comes to its performance.

The problem all started when there were claims that due to the coziness of Huawei with the Chinese government, it is feared that the devices would be used as a tool to spy on other countries. This was all the reason that caused the U.S. to ban companies from using equipment from Huawei way back in 2012.

An executive order from President Donald Trump placed Huawei on the list of the U.S. Department of Commerce’s Bureau of Industry and Security on May 15. However, Trump agreed to be more lenient on the restriction as a part of a deal to resume business trade talks with China in June.

If the U.S. really does deny access to Google’s operating system, then Huawei has no choice but to create an alternative, and it will be backed up by China for Huawei to create this alternative.

Ren warned Google, “you cannot rule out the chance that the third operating system might outrun them someday.”

The U.K. can’t practically decide on what to do right now as other major telcos still work hand in hand with Huawei by continuing to sign agreements with them. While the U.S. still is still tangled in trade talks with agriculture, so the cycle of their industry is still the same, fast-moving and no change. 

Supplying ‘authoritarian regimes’

In an interview, Ren also admitted that Huawei supplies “authoritarian regimes.”

“I actually do not make any prejudgement of a government first before we sell to our customers. Because every country has a sovereign system, it’s not in our position to interfere with the sovereignty of other states. If we did, then we would be playing the game of politics, right? And that’s a matter for sovereign states.”

The situation where Huawei is on right now might be a little difficult since it will require a gamble if ever they were denied access with Google’s operating system. Right now, Huawei still does not have any ‘plan-b’ course of action, but they will have to make an alternative when the time comes. They also plan to compete with the two biggest Operating system provider (Google and Apple). 

The U.S. is still pondering on whether to continue the relationships with Huawei or to completely ban them and make them a permanent blacklist on U.S. Department of Commerce’s Bureau of Industry and Security, halting any form of trade with Huawei and demolishing the support that they are still currently having with Google.

The long term plan is still hazy, but if ever the U.S. does force China into a full-scale Android alternative, others will jump on board. And, despite the rhetoric, the U.S. really does not want that.

Continue Reading

Trending