March 27, 2015 By Douglas Bonderud 2 min read

Instagram is one of the most popular social media apps, with more than 200 million users and a relatively solid track record when it comes to vulnerabilities. However, according to Threatpost, security researcher David Sopas of WebSegura has discovered a potentially massive hole in the Instagram application programming interface (API) — and so far, the picture-sharing site doesn’t seem keen on fixing the issue.

Reflected Dangers of Instagram API

According to Sopas, Instagram’s problem stems from a new attack technique called the reflected file download (RFD). First identified by Oren Hafif of Trustwave SpiderLabs, RFDs allow malicious actors to create links that make it appear that files are being hosted by trusted domains, such as Google, Bing or Instagram. In fact, response content in the form of malicious files are created on the fly by Web browsers. The result is malware downloads that require no uploads. For this type of attack to work, the three following elements must be present:

  • Some user input must be “reflected” to create the response content.
  • The URL or API of the site being used must accept additional commands.
  • Downloadable files must be created on the fly.

Finding Focus

So how does this apply to the Instagram API? Sopas said the site’s programming interface can be modified by entering a batch command in the “bio” field, which fills the role of persistent reflected content. The only caveat? Attackers need a token to start the process, which can be easily obtained by creating a new account. Using Chrome, Opera, Chrome for Android — the Android stock browser — and, in some cases, Firefox, Sopas was able to generate an email link that appears to point to a legitimate Instagram domain. In fact, it takes users to an attacker-controlled Web page.

As far as Sopas is concerned, “RFD is very dangerous, and combined with other attacks like phishing or spam, it could lead to massive damage.”

Instagram’s response? Not much. A spokesperson said the RFD issue discovered by Sopas doesn’t fall under the company’s bug bounty program because it “excludes reports which have no practical security implications, as well as social engineering techniques that require significant interaction from the victim.”

In other words, the social site sees this problem as an unlikely circumstance that demands work from both malicious actors and victims. However, in the event of a successful RFD attack that also leverages a targeted phishing campaign, a host of fake download links crop up that cannot be differentiated from the real thing. While users are always best to avoid clicking any in-email links, this type of masking technique could easily fool even savvy technophiles. Without the need to upload any malware to initiate the download process, catching the culprits will be no easy task.

The big picture? Instagram’s API has a flaw, and so far, there’s no fix. Security researchers say it poses a large risk, while the company considers it a minor irritant. With RFD poised to make significant inroads as a new attack vector, however, a new best practice emerges: Carefully filter all email for the mark of duplicitous domains.

Image Source: Flickr

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today