TL;DR: Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts. An extrapolation of the PoC account range learned that 4% of all existing & active Instagram accounts (approx. 500 million) were in a vulnerable locked state (approx. 20 million). Facebook fixed the vulnerability within a day and granted a $5.000 bounty 10 days later.
Research
The Tales of a Bug Bounty Hunter: 10 Interesting Vulnerabilities in Instagram
Abstract: Bug bounty hunting is the new black! During this technical talk, 10 interesting vulnerabilities identified in Instagram will be presented. All vulnerabilities were disclosed responsibly via Facebook’s Public Bug Bounty program over the course of 2015 and 2016, and will be discussed in depth. Required advanced Mobile Security attack techniques for this Research, such as Binary Modification, Dynamic Hooking and Burp Suite Plugin Development will be covered, among other trickery.
The most interesting vulnerabilities were hybrid: Combinations of complementary vulnerabilities in different environments (e.g. Web and Mobile). All identified issues’ root causes will be mapped onto the Software Development Life Cycle (SDLC), to analyze where they could have been prevented from materializing. Last but not least, the monetary rewards offered by Facebook for each vulnerability and general Bug Bounty Hunting advice will be shared with the community.
Conferences: BSidesSF16, SANS Night 2016, SecAppDev 2016, OWASP Benelux Day 2016
Slides: V1 (long), V2 (AppSecEU16)
Videos: BSidesSF (50min), AppSecEU16 (50min)
One Packer to Rule Them All: Empirical Identification, Comparison and Circumvention of Current Antivirus Detection Techniques
Abstract: Lately, many popular antivirus solutions claim to be the most effective against unknown and obfuscated malware. Most of these solutions are rather vague about how they supposedly achieve this goal, making it hard for end-users to evaluate and compare the effectiveness of the different products on the market. This presentation presents empirically discovered results on the various implementations of these methods per solution, which reveal that some antivirus solutions have more mature methods to detect x86 malware than others, but all of them are lagging behind when it comes to x64 malware. In general, at most three stages were identified in the detection process: Static detection, Code Emulation detection (before execution), and Runtime detection (during execution). New generic evasion techniques are presented for each of these stages. These techniques were implemented by an advanced, dedicated packer, which is an approach commonly taken by malware developers to evade detection of their malicious toolset. Two brand new packing methods were developed for this cause. By combining several evasion techniques, real-world malicious executables with a high detection rate were rendered completely undetected to the prying eyes of antivirus products.
Conferences: Black Hat USA 2014, BruCON 2014, InfoSecurity Belgium 2015
Slides: Black Hat USA 2014 (25min), BruCON 2014 (1h), InfoSecurity Belgium 2015 (45 min)
Videos: Black Hat USA 2014 (25min), BruCON 2014 (1h)
Paper: PDF