XSS on sites using the Instagram API
While developing an application using the Instagram API, I noticed that I’m not receiving converted tags. Of course, this problem is solved in a couple of lines of code. But I thought, what if not all developers convert the tags to the essence before outputting to the page, completely trusting the API. Who would expect that in the description of the Instagram page there will be a JS script instead of text?
I found such sites.
To begin with, I added the connection of the remote script js to the profile description, and a line to the description of some photos
The first site I found is Iconosquare .
')
On this site, I decided to look for my photo using the #instagramapi hashtag , in my case it was a photo with a cat.
When I clicked on a photo, I was transferred to the page containing the description of the photo, but Iconosquare forgot to convert html tags to its essence. This made it possible to perform XSS.
Having opened the source of the page, it immediately became clear that they had forgotten to convert the tags in the meta description of the page.
On the user’s page, they didn’t convert the name and description of the Instagram profile - and here’s the result.
The next site I found is facegram.io .
As I understand it, facegram.io is another Instagram Web Viewer. The service has about 50,000 followers on Facebook, so I think it can be considered popular.
Here we are also looking for the #instagramapi hashtag and here is the result:
Similarly on the user page .
In fact, I found 27 sites where you can conduct a XSS attack. I think that it is not necessary to paint them all, here are links to pages with XSS.
I tried to write in Iconosquare and in support of several other sites, but they didn’t respond. Maybe one of you will be able to inform the developers of these sites about the vulnerability.
PS This article is written to inform developers that you should not trust the data received from Instagram API.
PPS The situation is similar with applications using the Facebook API.
I found such sites.
To begin with, I added the connection of the remote script js to the profile description, and a line to the description of some photos
<script >alert(document.cookie);</script> The first site I found is Iconosquare .
')
IconoSquare is a useful application for analyzing and managing your account on Instagram. A convenient web interface saves time and helps in communicating with subscribers. Through IconoSquare, you can view profiles or search by hashtag
On this site, I decided to look for my photo using the #instagramapi hashtag , in my case it was a photo with a cat.
When I clicked on a photo, I was transferred to the page containing the description of the photo, but Iconosquare forgot to convert html tags to its essence. This made it possible to perform XSS.
View image
Having opened the source of the page, it immediately became clear that they had forgotten to convert the tags in the meta description of the page.
View image
On the user’s page, they didn’t convert the name and description of the Instagram profile - and here’s the result.
View image
The next site I found is facegram.io .
As I understand it, facegram.io is another Instagram Web Viewer. The service has about 50,000 followers on Facebook, so I think it can be considered popular.
Here we are also looking for the #instagramapi hashtag and here is the result:
View image
Similarly on the user page .
In fact, I found 27 sites where you can conduct a XSS attack. I think that it is not necessary to paint them all, here are links to pages with XSS.
List of all sites
iconosquare.com/p/783308509456027184_220257738
tagboard.com/instagramapi/search
pinsta.me/asset_93
yooying.com/p/783308509456027184_220257738
instaliga.com/asset_93/783308509456027184_220257738
collec.to/i/783308509456027184_220257738
songery.net/img/783308509456027184_220257738
carouselle.me/#/by/asset_93
picbi.com/asset_93
webgram.ru/p/asset_93
twitnow.ru/instagram/u?q=220257738&u=asset_93
instagramsearchonline.com/tag/instagramapi/#.VL7H3EesXfI
japastagram.com/ph/?q=902278032086716165_220257738
www.lakako.com/post/783308509456027184
pingram.me/asset_93
www.netstagram.com/user/220257738
tagstag.com/user/asset_93
the-photo-flow.com/search.html?q=asset_93
instaprof.appspot.com/profile/asset_93
facegram.io/u/asset_93&script-alert-script&220257738
instagramology.com/media/902278032086716165_220257738
bitroad.net/u/asset_93&Asset-Mamyraimov
sharetagram.com/user/220257738/asset_93
www.vinevideoviewer.com/u/220257738
It is necessary to search by the hashtag instagramapi, or by the user asset_93.
techslides.com/demos/instagram-viewer
instaviewer.net
findgram.com
tagboard.com/instagramapi/search
pinsta.me/asset_93
yooying.com/p/783308509456027184_220257738
collec.to/i/783308509456027184_220257738
songery.net/img/783308509456027184_220257738
carouselle.me/#/by/asset_93
picbi.com/asset_93
webgram.ru/p/asset_93
twitnow.ru/instagram/u?q=220257738&u=asset_93
instagramsearchonline.com/tag/instagramapi/#.VL7H3EesXfI
japastagram.com/ph/?q=902278032086716165_220257738
www.lakako.com/post/783308509456027184
pingram.me/asset_93
www.netstagram.com/user/220257738
tagstag.com/user/asset_93
the-photo-flow.com/search.html?q=asset_93
instaprof.appspot.com/profile/asset_93
facegram.io/u/asset_93&script-alert-script&220257738
instagramology.com/media/902278032086716165_220257738
bitroad.net/u/asset_93&Asset-Mamyraimov
sharetagram.com/user/220257738/asset_93
www.vinevideoviewer.com/u/220257738
It is necessary to search by the hashtag instagramapi, or by the user asset_93.
techslides.com/demos/instagram-viewer
instaviewer.net
findgram.com
I tried to write in Iconosquare and in support of several other sites, but they didn’t respond. Maybe one of you will be able to inform the developers of these sites about the vulnerability.
PS This article is written to inform developers that you should not trust the data received from Instagram API.
PPS The situation is similar with applications using the Facebook API.
Source: https://habr.com/ru/post/249589/
All Articles