Instagram Patches Two Brute Force Login Bugs

Facebook has patched two security flaws in its Instagram mobile photo-sharing service that could have allowed attackers to take over users’ accounts.

Both flaws could have allowed an attacker to guess a user’s password by making a large number of guesses, known as a “brute-force” attack, according to Belgian computer security researcher Arne Swinnen, who discovered the bugs.

Weak security

For instance, the service allows relatively weak passwords and while it has introduced two-factor authentication this hasn’t yet been rolled out worldwide, Swinnen said. The service also lacks any policy for locking user accounts where a number of incorrect password guesses have been made, he said.

“Therefore, exploitation of these issues could have resulted in the compromise of millions of the 400+ million active Instagram accounts – especially those with predictable passwords,” he said in an advisory.

The flaws are the latest indication of insecurity in social media services, which has resulted in thefts of user data and the takeover of high-profile user accounts becoming increasingly routine.

Brute-force attack

Swinnen pointed out that both of the flaws resulted from the lack of basic security precautions to limit the number of incorrect guesses that could be made in user logins.

The first issue involved Instagram’s Android app, which allowed roughly 1,000 guesses from a unique IP address before delivering an error message.

Bizarrely, the error message persisted for another 1,000 guesses, after which login attempts were again allowed, although they alternated with the error message, Swinnen said.

“This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received,” he wrote. “The only limitation of this attack was that on average, two authentication requests had to be made for one reliable password guess attempt.”

He said he was able to write a Python script that launched an attack using 10,000 popular passwords against a test Instagram account.

Web login

The second issue involved Instagram’s web portal login, which also lacked any feature effectively limiting the number of password guesses for an account and didn’t lock accounts targeted by a brute-force attack.

Swinnen said Facebook fixed both bugs by introducing more effective rate-limiting controls and also tightened restrictions on extremely easy-to-guess passwords such as “123456” or “password”.

Facebook awarded Swinnen a $5,000 (£3,400) bounty for the flaws.

Instagram introduced two-factor authentication in February, nearly five years after its parent company Facebook brought in the technique.

Are you a security pro? Try our quiz!