Personal computing discussed

Moderator: Dposcorp

 
arunphilip
Gold subscriber
Gerbil Team Leader
Topic Author
Posts: 212
Joined: Sun Jul 28, 2013 11:46 am
Location: India

Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 2:32 pm

Instagram has come forward to users informing them that as a result of a security flaw their passwords could have been exposed. An Instagram spokesperson has said that the issue was 'discovered internally and affected a very small number of people'.

The security flaw lies in the 'Download Your Data' tool, which was devised to comply with the EU GDPR regulations. For some users it could have included their password in the URL of the link they've been sent to, um, download their data. If they were on a shared computer, that link would have exposed their password to people using it after them.


Source: https://www.gsmarena.com/security_flaw_ ... -34282.php

I think the biggest question is why the store the password in plaintext (or a recoverable) format. I thought this was Security 101 over a decade ago!
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 2:37 pm

I'm guessing it was a URL generated locally by JavaScript running in the browser. At least, I sure hope so... if not, then this is even more egregious.
Nostalgia isn't what it used to be.
 
arunphilip
Gold subscriber
Gerbil Team Leader
Topic Author
Posts: 212
Joined: Sun Jul 28, 2013 11:46 am
Location: India

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 3:06 pm

just brew it! wrote:
I'm guessing it was a URL generated locally by JavaScript running in the browser. At least, I sure hope so... if not, then this is even more egregious.

The way I understand this feature (if it's similar to what Facebook offers) is that you click the button on the site to request a download. That download doesn't occur immediately via the browser, but some time later, you'd receive an email from Instagram with the link in it to download a zip file of your Instagram account's contents.

It could be that the password was captured at the time the button a clicked, as you say, but the real WTF is an email subsequently being sent with the password in the clear.
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 4:18 pm

Most developers are incompetent, especially when it comes to multi-threaded code or security. This is one of my big takeaways from over 3 decades in tech. The "move fast and break things" ethos that seems to be prevalent now doesn't help either.
Nostalgia isn't what it used to be.
 
Waco
Gold subscriber
Minister of Gerbil Affairs
Posts: 2583
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:05 pm

Wow. No matter how it happened, whomever wrote that code should be ashamed.
Desktop: Z170A Gaming Pro Carbon | 6700K @ 4.4 | 16 GB | GTX Titan Xm | XSPC RX360 | Heatkiller R3 | Samsung 4K 40" | 2048 + 240 + LSI 9207-8i (128x8) SSD
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:09 pm

Waco wrote:
Wow. No matter how it happened, whomever wrote that code should be ashamed.

No argument there. Incorporating a plaintext password into a URL is an epic fail. The only remaining question is regarding the degree of epic-ness. (I.e. is the plaintext password stored permanently anywhere...)
Nostalgia isn't what it used to be.
 
Waco
Gold subscriber
Minister of Gerbil Affairs
Posts: 2583
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:10 pm

If the latter their entire security team should be sacked.
Desktop: Z170A Gaming Pro Carbon | 6700K @ 4.4 | 16 GB | GTX Titan Xm | XSPC RX360 | Heatkiller R3 | Samsung 4K 40" | 2048 + 240 + LSI 9207-8i (128x8) SSD
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:12 pm

If they even have a security team... stuff like this makes you wonder.
Nostalgia isn't what it used to be.
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:20 pm

Should also be noted that assuming this was HTTPS, aside from the DNS lookup the rest of the URL was encrypted "on the wire"... so there's that, as a potential mitigating factor. OTOH, the plaintext password probably got saved in a server access log at Instagram, since it was part of the request URL. So effectively, they're probably storing plain text passwords somewhere, even if they're not doing it explicitly in their user database.

Facebook and their various subsidiary online properties/brands can DIAF. The world would be a better place without them. (And if we want to go deeper into this tangent, we'll need an R&P thread.)
Nostalgia isn't what it used to be.
 
curtisb
Gerbil XP
Posts: 417
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:29 pm

Not just a server access log at Instagram, but if it's accessed on a corporate network then it's very likely stored in the company's firewall and/or proxy logs, too.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Asus STRIX GTX 970 4GB | 4 x Corsair LPX 8GB | 2 x Crucial MX200 500GB | 2 x Hitachi Deskstar 4TB | Phanteks Eclipse | Seasonic X-850 | Dell UP2516D
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sat Nov 17, 2018 5:38 pm

curtisb wrote:
Not just a server access log at Instagram, but if it's accessed on a corporate network then it's very likely stored in the company's firewall and/or proxy logs, too.

Yup, if you've got an employer who uses a proxy that effectively does a "man in the middle" attack on all HTTPS connections, which is actually quite common. The corporate OS/browser image includes security certificates which cause the web browser to trust the proxy unconditionally. But you're not getting end-to-end encryption, since the traffic gets decrypted and re-encrypted inside the proxy. They're certainly legally within their rights to do this, but this introduces another weak point in the security chain, since anyone with admin access to the proxy (whether legitimately obtained or not) can potentially spy on the plaintext of any HTTPS traffic passing through it.

Even if your employer allows incidental personal use of your company-provided device, consider using a personal device on the guest WiFi network instead (if this is an option) for any personal stuff. That way, you'll get a security alert from your web browser if there's any certificate spoofing going on at the firewall/proxy.
Nostalgia isn't what it used to be.
 
Waco
Gold subscriber
Minister of Gerbil Affairs
Posts: 2583
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sun Nov 18, 2018 8:21 am

I wish personal devices were allowed where I work. I can't even wear my fitness watch because it has Bluetooth. :lol:


I mean, I understand why, but it makes it no less annoying.
Desktop: Z170A Gaming Pro Carbon | 6700K @ 4.4 | 16 GB | GTX Titan Xm | XSPC RX360 | Heatkiller R3 | Samsung 4K 40" | 2048 + 240 + LSI 9207-8i (128x8) SSD
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sun Nov 18, 2018 9:26 am

Waco wrote:
I wish personal devices were allowed where I work. I can't even wear my fitness watch because it has Bluetooth. :lol:

I mean, I understand why, but it makes it no less annoying.

Yup... high-security environments are a PITA, and not just because personal devices aren't allowed. Lots of other security measures that make it more difficult to get your job done too. One place I used to work had a web proxy that seemed to block sites at random, including many sites with useful technical information and tutorials which were relevant to the projects being worked on. You basically had three options:

1. Submit a request to have the site reviewed and unblocked. Turnaround time typically a couple of weeks, unless you pestered the IT security team to expedite it (which as often as not would just piss them off, without making things happen any faster).

2. Keep looking for other sites with related info, and hope they weren't blocked too.

3. Go somewhere with public WiFi (there was a bar a couple of blocks up the road with an AP... :lol:), and use a personal device to read the blocked site.

Eventually they added a single shared PC in our facility which was outside of our secure network, that people could use to do web searches without being blocked by the filter.
Nostalgia isn't what it used to be.
 
Waco
Gold subscriber
Minister of Gerbil Affairs
Posts: 2583
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sun Nov 18, 2018 9:57 pm

It's worse for my site - we have both a locked-down "open" network and an air-gapped secure network. Luckily it's super rare for useful information to be blocked on the open side, and Wayback Machine is a convenient end-run to the occasional site that is blocked.
Desktop: Z170A Gaming Pro Carbon | 6700K @ 4.4 | 16 GB | GTX Titan Xm | XSPC RX360 | Heatkiller R3 | Samsung 4K 40" | 2048 + 240 + LSI 9207-8i (128x8) SSD
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
curtisb
Gerbil XP
Posts: 417
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Sun Nov 18, 2018 10:05 pm

just brew it! wrote:
curtisb wrote:
Not just a server access log at Instagram, but if it's accessed on a corporate network then it's very likely stored in the company's firewall and/or proxy logs, too.

Yup, if you've got an employer who uses a proxy that effectively does a "man in the middle" attack on all HTTPS connections, which is actually quite common. The corporate OS/browser image includes security certificates which cause the web browser to trust the proxy unconditionally. But you're not getting end-to-end encryption, since the traffic gets decrypted and re-encrypted inside the proxy. They're certainly legally within their rights to do this, but this introduces another weak point in the security chain, since anyone with admin access to the proxy (whether legitimately obtained or not) can potentially spy on the plaintext of any HTTPS traffic passing through it.

Even if your employer allows incidental personal use of your company-provided device, consider using a personal device on the guest WiFi network instead (if this is an option) for any personal stuff. That way, you'll get a security alert from your web browser if there's any certificate spoofing going on at the firewall/proxy.


In this case the password is in the URI so it doesn't even have to decrypt the actual site traffic. The URI's still get transmitted clear text because the proxy/firewall/DNS/router/etc. has to know where the request is going to in order to return it.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Asus STRIX GTX 970 4GB | 4 x Corsair LPX 8GB | 2 x Crucial MX200 500GB | 2 x Hitachi Deskstar 4TB | Phanteks Eclipse | Seasonic X-850 | Dell UP2516D
 
just brew it!
Gold subscriber
Administrator
Posts: 51945
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Mon Nov 19, 2018 8:24 am

curtisb wrote:
In this case the password is in the URI so it doesn't even have to decrypt the actual site traffic. The URI's still get transmitted clear text because the proxy/firewall/DNS/router/etc. has to know where the request is going to in order to return it.

AFAIK, only the DNS lookup (host name) is done in the clear when using HTTPS. The rest of the URI is encrypted before being sent.
Nostalgia isn't what it used to be.
 
curtisb
Gerbil XP
Posts: 417
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Instagram reveals passwords in plaintext when using 'Download Your Data'

Mon Nov 19, 2018 10:19 am

just brew it! wrote:
curtisb wrote:
In this case the password is in the URI so it doesn't even have to decrypt the actual site traffic. The URI's still get transmitted clear text because the proxy/firewall/DNS/router/etc. has to know where the request is going to in order to return it.

AFAIK, only the DNS lookup (host name) is done in the clear when using HTTPS. The rest of the URI is encrypted before being sent.


I believe you are correct. However, we've never had any of our firewalls configured to break down SSL packets and have always been able see the full URI in the logs. This spans three different manufacturers (Juniper, Palo Alto, and Sonicwall). Odds are access to those logs are fairly restrcited, but it's still something to consider in a case like this.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Asus STRIX GTX 970 4GB | 4 x Corsair LPX 8GB | 2 x Crucial MX200 500GB | 2 x Hitachi Deskstar 4TB | Phanteks Eclipse | Seasonic X-850 | Dell UP2516D

Who is online

Users browsing this forum: No registered users and 1 guest