Facebook Threatens Researcher with criminal action for submitting Instagram Vulnerabilities

Facebook Threatens Researcher with criminal action for submitting Instagram Vulnerabilities

Wesley Wineberg, an independent security researcher, reported multiple vulnerabilities in Instagram to Facebook, which if exploited, allegedly gave him complete control of the service. After Wineberg informed Facebook about the vulnerabilities, the company offered him reward for disclosing one of the bugs but also contacted his employer and threatened him with legal action

In his personal blog, Wineberg, a contract employee of security firm Synack, wrote that he found multiple vulnerabilities in Instagram Infrastructure
Vulnerabilities allowed him to do following or gave access to do
1-allowed him to access the source code for the recent versions of Instagram.
2-get access to SSL certificates
3-private keys for Instagram.com
4-email server credentials,
5- iOS and Android app signing and iOS push notifications
5-allowed to access employee accounts and passwords
6-allowed him to find a way to Amazon buckets that consisted of user images and other data

Wesley Wineberg in his blog post wrote following, "To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement. With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member,"

Time Line October 21 to December 16, 2015
On December 1, 2015, Facebook CSO, Alex Stamos, contacted the CEO of the company where Wesley works.
And Alex explained the possibility of legal and criminal actions if Wesley do not comply with their demands, which includes keeping all findings secret.

Below is the timeline as per Wesley Wineberg how it all started and happened

October 21 –
RCE in sensu.instagram.com discovered and Reported.
Weak Accounts on sensu.instagram.com discovered.
Based on a tip from a friend investigated sensu.instragram.com for security issues, discovered sensu-admin interface could be exploited to gain RCE.
Vulnerability with PoC submitted to Facebook whitehat program
Local postfres DB for sensu-Admin is accessed to enumerate accounts.
60 employee accounts are discovered, with at least 12 having extremely weak passwords set.

October 22 –
RCE in sensu.instagram.com acknowledged.
Facebook confirms that they are investigating this vulnerability.
Weak accounts on sensu.instagram.com reported.
Weak accounts reported as a vulnerability to Facebooks whitehat program.

October 24 –
Sensu.instagram.com taken offline or Firewalled.
Remote access to this server is no longer possible.
While waiting for a reply from Facebook security regarding weak accounts examined sensu.instagram.com configuration further and discovered AWS key pair.
Key pair was discovered to provide access to second key pair and thus to 80 different Amazon S3 buckets.

October 28 –
Response Received regarding weak accounts on sensu.instagram.com
The response from the Facebook security team implies that I have gone outside the scope of the white hat bounty program.
No explanation is given for what about vulnerability submission is out of scope.

Clarification requested regarding testing scope
Why the written rules were different than the rules stated by Facebooks security team.
This was never clearly resolved.

November 16 –
RCE in sensu.instagram.com accepted for $2500
Facebook acknowledged the above vulnerability, but slits it with my friend who originally found the server.
Facebook states typically only reward the first researcher to report a valid issue to us through the bounty program, but in this case Facebook will be paying for related reports with different information that helped track down and fix the issue.

December 1 –
Weak accounts on sensu.instagram.com Rejected
User privacy violation claimed.

AWS keypairs from sensu.instagram.com reported.
Aws keypairs and s3 bucket access was reported as a third and final vulnerability to Facebooks whitehat program.

Alex Stamos phones employer –
Late in the evening Facebooks CSO, Alex Stamos contacts the CEO of the company where he workd. Alex explains the possibility of legal and criminal actions if he does not comply with demands of Facebook, which included keeping all findings secret.

December 4 –
Aws keypairs from Sensu.instagram.com rejected.
Facebook contacted via the normal security support system.
Facebook states we feel it’s appropriate for you to write up your process for finding and testing the initial RCE on sensu.instagram.com but not any actions you took after finding that RCE.

December 16 –
Based on the interactions experienced to date with Facebooks security team, published the findings.

Story of the Moral –

Story of the Moral is never report anything to Facebook, first study, find the loopholes in depth, and go meet the lawyer and then inform the Facebook and start dealing with them if you want money from Facebook.

Second is if you are not interested in money, then also do all the research and submit that paper on the social media sites, send it to bloggers and send it to the concern company on the same day and
Enjoy your fame.


Suggested Reading –

Wesley Wineberg blog how it all happened in details


Reality views by sm –

Sunday, December 20, 2015

Tags – Facebook legal action researcher