Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/5/2020
03:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages

Attackers could have exploited the issue to lead online shoppers to malicious websites or to get them to download malware, Tenable says.

Grocery delivery service Instacart has fixed a security flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number.

A security researcher from Tenable Research discovered the vulnerability while using Instacart to buy dog food recently and reported it to the company on April 28. The shopping service fixed the issue on May 1, reducing risk for the millions of users who have begun using the service amid social distancing rules tied to the COVID-19 pandemic.

The problem had to do with a feature on Instacart's website that is designed to get users to download the company's mobile app. After shoppers have placed an order on Instacart's site, they are typically directed to a page where they are asked to enter their mobile phone numbers. Users who do so then receive a link via SMS that they can use to download Instacart's mobile application.

Jimi Sebree, a security research engineer at Tenable, discovered that when an Internet user provides a mobile phone number, a request is sent to a "request_invite" endpoint at Instacart. The request contains parameters such as a store or warehouse ID and a zone ID identifying the regional location of the store.

"The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application," Tenable said in a report on the issue today.

The security researcher found a weakness on Instacart's "request_invite" endpoint that essentially gave attackers a way to capture the user's request link information along with associated security headers and authentication information. He discovered that attackers could then modify the message to send an SMS message containing a malicious link to any phone number of their choice. The recipient would receive an unsolicited SMS appearing to be from Instacart with a link for purportedly downloading the company's mobile app. 

Because attackers would be able to control the link that is sent to the victim via the Instacart SMS message, they could trick users into downloading malware or unwanted applications onto their devices or by directing them to credential and data stealing websites.

Sebree discovered that the information in the link request was valid for only a limited length of time. So attackers would have needed to use that window to craft and send a malicious SMS. They could also simply have canceled an order and placed a new order to get a fresh opportunity to capture another request.

"Each request would target a single phone number," Sebree said in comments to Dark Reading. But an attacker could have theoretically sent as many requests as they wished so long as they had a valid session with Instacart, he says.

"The caveat here is that sending too many messages would allow Instacart to potentially identify the malicious account due to increased traffic," he said.

Heightened Risks
Earlier this year, researchers from Check Point Software Technologies discovered a near-identical vulnerability in the widely popular TikTok video-sharing social media platform. The company's security researchers found that just as with Instacart, attackers could basically send an SMS message with a malicious link to any phone number on behalf of TikTok. The vulnerability was one of several that Check Point discovered within the TikTok application.

For Internet users, such vulnerabilities are another reminder of the need to be cautious when clicking on links or opening messages that are either unsolicited or from people or entities with whom they have had no prior contact.

In recent weeks, attackers have been hammering away at Internet users with a variety of phishing, business email compromise, and other scams using themes related to the COVID-19 pandemic. Most have involved attempts to get users to disclose credentials and other sensitive data or to distribute malware by luring them to malicious sites purporting to offer information on COVID-19.

Collaboration platforms such as Microsoft Teams, Zoom, and Slack have become huge targets for attackers because of the sheer number of people who have begun using them these days to work from home. So far, few reports have shown heightened attacker interest in grocery delivery services like Instacart, Shipt, and others — which have also seen a massive increase in usage in recent weeks because of the pandemic.

Even so, users need to be cautious.

"The main takeaway from this is to be diligent about links you click on. Phishing scams are prevalent in all forms of communication," Sebree said. "Consumers should be wary of clicking on things that they did not explicitly request or are not expecting."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...