Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
rcmaehl

Password Downloads - Instagram leaks user passwords in plaintext

Recommended Posts

Posted · Original PosterOP

Source:
Sophos
 

Summary:

Instagrams' new GDPR tool for downloading your data leaked user passwords in plain text. "Only a handful of users affected"

 

Quotes/Excerpts:

Quote

Instagram released the long-anticipated download your data tool. The feature gave users the ability to download images, posts and comments. Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said. It means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around. Facebook didn’t say whether anybody’s Instagram account was compromised because of the error. This never would have happened if Instagram was doing encryption right. For the Facebook-owned Instagram to be able to trip up and post plaintext passwords in URLs, that means that somewhere inside of Instagram, users’ passwords are bouncing around in plain text. 

 

My Thoughts:

Ironic. A tool meant to comply with GDPR has ended up being a GDPR violation in itself. Facebook is seemingly making a large amount of security mistakes, perhaps it's time for some regulatory oversight?


NotCPUCores Dev | Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 2933MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS


 

Link to post
Share on other sites

The Slow Clap: Examples, Usage and History | Gentlemint Blog


Cor Caeruleus Reborn v6

Spoiler

CPU: Intel - Core i7-8700K

CPU Cooler: be quiet! - PURE ROCK 
Thermal Compound: Arctic Silver - 5 High-Density Polysynthetic Silver 3.5g Thermal Paste 
Motherboard: ASRock Z370 Extreme4
Memory: G.Skill TridentZ RGB 2x8GB 3200/14
Storage: Samsung - 850 EVO-Series 500GB 2.5" Solid State Drive 
Storage: Samsung - 960 EVO 500GB M.2-2280 Solid State Drive
Storage: Western Digital - Blue 2TB 3.5" 5400RPM Internal Hard Drive
Storage: Western Digital - BLACK SERIES 3TB 3.5" 7200RPM Internal Hard Drive
Video Card: EVGA - 970 SSC ACX (1080 is in RMA)
Case: Fractal Design - Define R5 w/Window (Black) ATX Mid Tower Case
Power Supply: EVGA - SuperNOVA P2 750W with CableMod blue/black Pro Series
Optical Drive: LG - WH16NS40 Blu-Ray/DVD/CD Writer 
Operating System: Microsoft - Windows 10 Pro OEM 64-bit and Linux Mint Serena
Keyboard: Logitech - G910 Orion Spectrum RGB Wired Gaming Keyboard
Mouse: Logitech - G502 Wired Optical Mouse
Headphones: Logitech - G430 7.1 Channel  Headset
Speakers: Logitech - Z506 155W 5.1ch Speakers

 

Link to post
Share on other sites

A privacy and security violation by a Facebook property, who would have guessed. I don't care if it was a glitch or not a glitch, passwords should be IRRETRIEVABLE, PERIOD.

 

ONE WAY ENCRYPTION

 

GRAAAAAH

Link to post
Share on other sites
3 minutes ago, HarryNyquist said:

A privacy and security violation by a Facebook property, who would have guessed. I don't care if it was a glitch or not a glitch, passwords should be IRRETRIEVABLE, PERIOD.

 

ONE WAY ENCRYPTION

 

GRAAAAAH

Hash, salt, and pepper. 


muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to post
Share on other sites
Posted · Original PosterOP
2 minutes ago, Syntaxvgm said:

Hash, salt, and pepper. 

Soup, salad, breadsticks


NotCPUCores Dev | Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 2933MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS


 

Link to post
Share on other sites
5 minutes ago, HarryNyquist said:

I don't care if it was a glitch or not a glitch

It can't be a glitch.

ANY variable (like a password) somehow has to make its way to the address bar. It does not magically jump up there, without someone explicitly writing code that does exactly that.

 

So one coder explicitly wrote code that used the address bar as a way to transport variables from place A to B. That in itself is silly.

Then this coder, or worse: another one, ... decided it was a great idea to use this "data transfer" method to pass along a password.

And then we get to the third issue: Someone also decided it was a good idea to not encode said password, which it should have been, even if it would not have ended up in the freaking address bar due to a 1990 way of passing data around.

Link to post
Share on other sites

WHY is Instagram EVEN STORING these passwords AT ALL?


AMD Ryzen 7 3.8ghz at 1.3V Corsair vengeance LPX 8GB 2800mhz @ 3200mhz CAS 16 + 2*4GB micron ballistics @ 3200mhz cas 16 ;Gigabyte ga-ab350-Gaming 3; cooler master nepton 240M ; CF r9 290x tri x + r9 290 tri x ; CX750M PSU ; SPEC 03 case with 9 120mm fans ; windows 10 64 bit 

Link to post
Share on other sites
Just now, Coaxialgamer said:

WHY is Instagram EVEN STORING these passwords AT ALL?

Well, it has to be stored somewhere, you know... in order to be checked against for the use case of a user wanting to log in.

There is many bad things happening here, but storing the password is not one of them. 😉

Link to post
Share on other sites
Just now, Tech Enthusiast said:

Well, it has to be stored somewhere, you know... in order to be checked against for the use case of a user wanting to log in.

There is many bad things happening here, but storing the password is not one of them. 😉

They don't need to store passwords , and never should have. No secure site ever stores these , let alone in plain text.

 


AMD Ryzen 7 3.8ghz at 1.3V Corsair vengeance LPX 8GB 2800mhz @ 3200mhz CAS 16 + 2*4GB micron ballistics @ 3200mhz cas 16 ;Gigabyte ga-ab350-Gaming 3; cooler master nepton 240M ; CF r9 290x tri x + r9 290 tri x ; CX750M PSU ; SPEC 03 case with 9 120mm fans ; windows 10 64 bit 

Link to post
Share on other sites
Just now, Coaxialgamer said:

They don't need to store passwords , and never should have. No secure site ever stores these , let alone in plain text.

 

So, how do these sites check if you entered the correct password, if they don't have it stored? (I agree on the plain text thing, as mentioned before)

Link to post
Share on other sites
Just now, Tech Enthusiast said:

So, how do these sites check if you entered the correct password, if they don't have it stored? (I agree on the plain text thing, as mentioned before)

Why do you think sites usually make you set a new password when you forget your existing one , instead of just sending it you ? It's precisely because they can't.

Websites only stores the hashes of user passwords , which are salted for good measure (a random string is added in to the input so that identical passwords don't have matching hashes). When a user enters a password, the input is hashes and checked against the stored info. If it matches , the password is correct (that's a property of hashing algorithms: two identical inputs produce the same hash). 

Not only should Instagram not have had these plain text passwords in their database , they shouldn't even have the KEYS for decrypting them.


AMD Ryzen 7 3.8ghz at 1.3V Corsair vengeance LPX 8GB 2800mhz @ 3200mhz CAS 16 + 2*4GB micron ballistics @ 3200mhz cas 16 ;Gigabyte ga-ab350-Gaming 3; cooler master nepton 240M ; CF r9 290x tri x + r9 290 tri x ; CX750M PSU ; SPEC 03 case with 9 120mm fans ; windows 10 64 bit 

Link to post
Share on other sites
4 minutes ago, Tech Enthusiast said:

So, how do these sites check if you entered the correct password, if they don't have it stored? (I agree on the plain text thing, as mentioned before)

At the absolute minimum, the plaintext password is taken, and its hash value is computed. The hash function produces the same output for any input, say, 'hunter2' passed through the MD5 hash function would become 6a0f0731d84afa4082031e3a72354991.

 

This hash is what gets stored. Storing something like that MD5 hash alone is very insecure, because MD5 has such a small space that rainbow tables, giant tables of hash values & corresponding plaintext, can be easily consulted to "decrypt" the password.

 

To prevent this vulnerability (or mitigate it), the plaintext password gets salted with another value. A common (and bad) practice is to use the username as a salt, so instead of hashing just 'hunter2', the plaintext to be hashed becomes 'stupid_redditor:hunter2' or something. That adds complexity and makes it more difficult to crack.

 

The best kind of hash is one that uses a random salt, and has modifiable parameters for hashing (such as multiple hash iterations) that will exponentially increase the complexity of the hash and the difficulty of both brute-force cracking and rainbow table cracks (say, the bcrypt hashing function).

 

 

Link to post
Share on other sites
Quote

It means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around. Facebook didn’t say whether anybody’s Instagram account was compromised because of the error. 

I would call this compromised. 

Link to post
Share on other sites
6 minutes ago, Speed Weed said:

Dam, we are still not using encryption technology in 2018?

While this would be better than plaintext, using encryption to store passwords is much weaker than something like cryptographic hashing with salt.

 

So basically, unless the website is using hash and salt to store your passwords, you shouldn't consider it all that secure.

 

Link to post
Share on other sites
Just now, M.Yurizaki said:

While this would be better than plaintext, using encryption to store passwords is much weaker than something like cryptographic hashing with salt.

  

So basically, unless the website is using hash and salt to store your passwords, you shouldn't consider it all that secure.

 

Encryption make it more difficult to crack than a plain text. This is 2018, and we should have no excuse to not use encryption technology while hackers are already using them to encrypted our files with ransomware. 

Link to post
Share on other sites
3 minutes ago, Speed Weed said:

Encryption make it more difficult to crack than a plain text. This is 2018, and we should have no excuse to not use encryption technology while hackers are already using them to encrypted our files with ransomware. 

Well sure, that's why I said encryption is better than plain text. But it's still much weaker than hashing + salt. The problem with encryption is:

  • You need a key to encrypt something and the database has to be able to know what that key is. This basically means storing a "master password" in plaintext somewhere on the server itself.
  • Encryption spits out the same thing every time. Given how popular dumb passwords are like "password" and "123456", an attacker could gain control of a lot of accounts.
  • Encryption methods produce a varying amount of data for a given input. AES-128 for example, spits out 16 bytes for up to every 16 bytes you spit into it. This provides clues to an attacker how long the password is.

Hashing + salt is much better because it has none of those flaws.

Link to post
Share on other sites
2 minutes ago, M.Yurizaki said:

Well sure, that's why I said encryption is better than plain text. But it's still much weaker than hashing + salt. The problem with encryption is:

  • You need a key to encrypt something and the database has to be able to know what that key is. This basically means storing a "master password" in plaintext somewhere on the server itself.
  •  Encryption spits out the same thing every time. Given how popular dumb passwords are like "password" and "123456", an attacker could gain control of a lot of accounts.
  •  Encryption methods produce a varying amount of data for a given input. AES-128 for example, spits out 16 bytes for up to every 16 bytes you spit into it. This provides clues to an attacker how long the password is.

Hashing + salt is much better because it has none of those flaws.

Very interesting. Do you mind to explain the pros and cons of hashing + salt and how is it more benefit than encryption? 

Link to post
Share on other sites
1 minute ago, Speed Weed said:

Very interesting. Do you mind to explain the pros and cons of hashing + salt and how is it more benefit than encryption? 

Pros:

  • No key is needed.
  • The output is theoretically different every time for a given input.
  • The output is the same size regardless of input, so you can't tell how big the input originally was.

Cons:

  • Since hashing is theoretically irreversible, if you change the hashing algorithm, everyone has to update their passwords.
    • This is contrast with encryption, if you want to change the encryption method, you just decrypt the passwords and encrypt using the new method.
  • Some hashing algorithms can be computationally expensive.
    • This actually is a pro in some regard, as this discourages brute-force attacks.

 

On a side note, it's possible that if the website gives you a plaintext password, it may be using encryption because it can still give you your password in plaintext.

Link to post
Share on other sites
1 hour ago, Coaxialgamer said:

When a user enters a password, the input is hashes and checked against the stored info. If it matches , the password is correct

And that is exactly what i said.

The password is stored. It has to be stored to be checked against. 

I never said anything about plain text apart from plain text being sucky as hell. How a PW is stored does not change the fact that it is stored. It can be hased, salted, and a cherry could be placed on top, it is still stored.

Returning the PW to the user was never in question, however to be quite frank here: If you can encrypt a PW, you can decrypt it as well. It just sounds better if you claim you can not. I am unaware of any method to encrypt something that can't be reveresed with exactly the same steps in reverse.

 

That however, does not change the fact that these idiots used unencryped PWs and even put them up for grabs in the address bar.

Link to post
Share on other sites

Having trouble putting 2 and 2 together here... This leak does not necessarily confirm that passwords were stored on the server in plaintext, only that plaintext passwords were sent to the server. The Sophos article says that Facebook/Instagram said that passwords were stored in plaintext in the user notice they sent out, but I can't confirm that in the original article, which is locked behind a paywall. Can anyone confirm or deny that Facebook/Instagram actually said this? It's very possible that either of these sources is making a false conclusion here, either due to incompetence or wanting to get a bigger headline.

 

EDIT: Never mind, this source has specific text from the notice in it, which specifies that plaintext passwords were stored on the server. It seem that this was a direct result of the way they were doing this particular feature, though, and not the way that they were typically storing passwords for login purposes. That explains why it's connected to the leak.

Edited by kuhnerdm
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×