Arne Swinnen's Security Blog: How I Could Steal Money from Instagram, Google and Microsoft – Arne Swinnen's Security Blog
TL;DR: Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.
Facebook's Instagram - Timeline
Google - Timeline
TL;DR: Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.
Facebook's Instagram - Timeline
- 5 September 2015: Initial bug report sent to Facebook
- 13 November 2015: Initial decline of Facebook (see above), followed by elaboration from my side
- 21 December 2015: Second decline of Facebook (see above), followed by elaboration from my side
- 22 December 2015: Acceptance of the bug report
- 6 January 2016: Vulnerability patched
- 9 January 2016: Bug bounty of $2000 awarded.
- 11 January 2016: Confirmation of bounty multiplication by a factor two ($4000) to donate to Non-Profit Let Us Change Ethiopia, which supports street Children in Ethiopia.
Google - Timeline
- 9 February 2016: Initial bug report sent to Google VRP
- 10 February 2016: Initial response of Google, suggesting I use the vulnerability to break into please.break.in@gmail.com
- 10 February 2016: Email sent to Google asking for clarification
- 11 February 2016: Response from Google saying their previous mail was not meant to be sent to me, and they are investigating the issue until further notice.
- 16 February 2016: Initial decline of Google: “This issue has very little or no security impact, and therefore we believe that it is not in scope for the program”, followed by elaboration of my side
- 17 February 2016: Response from Google saying that the previous mail was an automated response which shouldn’t have been sent, and they are still investigating the issue. However, adding that “Surprisingly, money is less sensitive/impactful than access to user data. That’s not to say money isn’t important, it’s just that money is easy to recover from than user trust, so while I agree it’s ironic, I think it’s better for our users like this
” - 23 February 2016: Update from Google that the investigation is still ongoing
- 1 March 2016: Final response of Google (see above)
- 14 February 2016: Initial bug report sent to Microsoft Security Response Center
- 15 February 2016: Initial confirmation by Microsoft
- 11 March 2016: Initial fix communicated by Microsoft
- 13 March 2016: Response by me that retest indicated that only the prepending bypass was fixed, not the appending bypass
- 15 March 2016: Confirmation of retest result by Microsoft
- 3 June 2016: Communication of Bounty value of $500
- 6 June 2016: Question for elaboration of the Bounty decision with regards to the vulnerability impact
- 15 July 2016: Elaboration of Microsoft with regards to the Bounty value (see above) and confirmation of the fix deployment
