Justin Bieber and Selena Gomez ramp up on API Security

When your ex-girlfriend's Instagram gets hacked through an API security breach, and your risque pictures go viral, you rapidly try to understand the root cause of this breach and commit to becoming an API security expert.

Maybe that is expecting too much from Justin Bieber and Selena Gomez, however, it should be something that should make API security concerns viral and mainstream. Initially, the API security breach was purportedly limited to "high-profile" users ala Gomez, et. al.

The latest report shows that database of over 10,000 users may have been exposed and potentially over 6 million users' data scraped for sale @ $10/query. For details see:

Site sells Instagram users’ phone and e-mail details, $10 a search

Technical Details: Here are the steps that the hackers may have taken for this API Security Breach:

1.  Pick outdated Instagram mobile app version 8.5.1
2.  Create a valid Instagram account
3.  Select password-reset option.
4.  Use web-proxy servers to act like the mobile app calling the Instagram Servers.
5.  Modify the request at the web-proxy with the user id of the celebrity.
6.  The Instagram server would send a JSON-formatted response with personal information.

For this particular attack, it seems like a legitimate user session is first established. Then a password-reset request with a user id other than the initial user is sent to the Instagram server that leaks the *impersonated* user's email address and phone number via a JSON response. I wondered why a password reset would send this data in a JSON response - perhaps because the mobile-app validates it against what it has stored internally on the smart phone. The web-proxy in the middle doesn't care about this validation. Had JSON Web Encryption (JWE) been enabled on the JSON response, the web-proxy-in-the-middle attack would have only seen the encrypted data.