Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/5/2020
03:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages

Attackers could have exploited the issue to lead online shoppers to malicious websites or to get them to download malware, Tenable says.

Grocery delivery service Instacart has fixed a security flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number.

A security researcher from Tenable Research discovered the vulnerability while using Instacart to buy dog food recently and reported it to the company on April 28. The shopping service fixed the issue on May 1, reducing risk for the millions of users who have begun using the service amid social distancing rules tied to the COVID-19 pandemic.

The problem had to do with a feature on Instacart's website that is designed to get users to download the company's mobile app. After shoppers have placed an order on Instacart's site, they are typically directed to a page where they are asked to enter their mobile phone numbers. Users who do so then receive a link via SMS that they can use to download Instacart's mobile application.

Jimi Sebree, a security research engineer at Tenable, discovered that when an Internet user provides a mobile phone number, a request is sent to a "request_invite" endpoint at Instacart. The request contains parameters such as a store or warehouse ID and a zone ID identifying the regional location of the store.

"The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application," Tenable said in a report on the issue today.

The security researcher found a weakness on Instacart's "request_invite" endpoint that essentially gave attackers a way to capture the user's request link information along with associated security headers and authentication information. He discovered that attackers could then modify the message to send an SMS message containing a malicious link to any phone number of their choice. The recipient would receive an unsolicited SMS appearing to be from Instacart with a link for purportedly downloading the company's mobile app. 

Because attackers would be able to control the link that is sent to the victim via the Instacart SMS message, they could trick users into downloading malware or unwanted applications onto their devices or by directing them to credential and data stealing websites.

Sebree discovered that the information in the link request was valid for only a limited length of time. So attackers would have needed to use that window to craft and send a malicious SMS. They could also simply have canceled an order and placed a new order to get a fresh opportunity to capture another request.

"Each request would target a single phone number," Sebree said in comments to Dark Reading. But an attacker could have theoretically sent as many requests as they wished so long as they had a valid session with Instacart, he says.

"The caveat here is that sending too many messages would allow Instacart to potentially identify the malicious account due to increased traffic," he said.

Heightened Risks
Earlier this year, researchers from Check Point Software Technologies discovered a near-identical vulnerability in the widely popular TikTok video-sharing social media platform. The company's security researchers found that just as with Instacart, attackers could basically send an SMS message with a malicious link to any phone number on behalf of TikTok. The vulnerability was one of several that Check Point discovered within the TikTok application.

For Internet users, such vulnerabilities are another reminder of the need to be cautious when clicking on links or opening messages that are either unsolicited or from people or entities with whom they have had no prior contact.

In recent weeks, attackers have been hammering away at Internet users with a variety of phishing, business email compromise, and other scams using themes related to the COVID-19 pandemic. Most have involved attempts to get users to disclose credentials and other sensitive data or to distribute malware by luring them to malicious sites purporting to offer information on COVID-19.

Collaboration platforms such as Microsoft Teams, Zoom, and Slack have become huge targets for attackers because of the sheer number of people who have begun using them these days to work from home. So far, few reports have shown heightened attacker interest in grocery delivery services like Instacart, Shipt, and others — which have also seen a massive increase in usage in recent weeks because of the pandemic.

Even so, users need to be cautious.

"The main takeaway from this is to be diligent about links you click on. Phishing scams are prevalent in all forms of communication," Sebree said. "Consumers should be wary of clicking on things that they did not explicitly request or are not expecting."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...