A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source.
The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain.
“This time I found a RFD on
Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account. What we need?
A token. No worries we just need to register a new user to get one,” Sopas wrote in a
post explaining the bug and exploitation technique.
