Grocery delivery service Instacart has fixed a security flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number.

A security researcher from Tenable Research discovered the vulnerability while using Instacart to buy dog food recently and reported it to the company on April 28. The shopping service fixed the issue on May 1, reducing risk for the millions of users who have begun using the service amid social distancing rules tied to the COVID-19 pandemic.

The problem had to do with a feature on Instacart's website that is designed to get users to download the company's mobile app. After shoppers have placed an order on Instacart's site, they are typically directed to a page where they are asked to enter their mobile phone numbers. Users who do so then receive a link via SMS that they can use to download Instacart's mobile application.

Jimi Sebree, a security research engineer at Tenable, discovered that when an Internet user provides a mobile phone number, a request is sent to a "request_invite" endpoint at Instacart. The request contains parameters such as a store or warehouse ID and a zone ID identifying the regional location of the store.

"The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application," Tenable said in a report on the issue today.

The security researcher found a weakness on Instacart's "request_invite" endpoint that essentially gave attackers a way to capture the user's request link information along with associated security headers and authentication information. He discovered that attackers could then modify the message to send an SMS message containing a malicious link to any phone number of their choice. The recipient would receive an unsolicited SMS appearing to be from Instacart with a link for purportedly downloading the company's mobile app. 

Because attackers would be able to control the link that is sent to the victim via the Instacart SMS message, they could trick users into downloading malware or unwanted applications onto their devices or by directing them to credential and data stealing websites.

Sebree discovered that the information in the link request was valid for only a limited length of time. So attackers would have needed to use that window to craft and send a malicious SMS. They could also simply have canceled an order and placed a new order to get a fresh opportunity to capture another request.

"Each request would target a single phone number," Sebree said in comments to Dark Reading. But an attacker could have theoretically sent as many requests as they wished so long as they had a valid session with Instacart, he says.

"The caveat here is that sending too many messages would allow Instacart to potentially identify the malicious account due to increased traffic," he said.

Heightened Risks
Earlier this year, researchers from Check Point Software Technologies discovered a near-identical vulnerability in the widely popular TikTok video-sharing social media platform. The company's security researchers found that just as with Instacart, attackers could basically send an SMS message with a malicious link to any phone number on behalf of TikTok. The vulnerability was one of several that Check Point discovered within the TikTok application.

For Internet users, such vulnerabilities are another reminder of the need to be cautious when clicking on links or opening messages that are either unsolicited or from people or entities with whom they have had no prior contact.

In recent weeks, attackers have been hammering away at Internet users with a variety of phishing, business email compromise, and other scams using themes related to the COVID-19 pandemic. Most have involved attempts to get users to disclose credentials and other sensitive data or to distribute malware by luring them to malicious sites purporting to offer information on COVID-19.

Collaboration platforms such as Microsoft Teams, Zoom, and Slack have become huge targets for attackers because of the sheer number of people who have begun using them these days to work from home. So far, few reports have shown heightened attacker interest in grocery delivery services like Instacart, Shipt, and others — which have also seen a massive increase in usage in recent weeks because of the pandemic.

Even so, users need to be cautious.

"The main takeaway from this is to be diligent about links you click on. Phishing scams are prevalent in all forms of communication," Sebree said. "Consumers should be wary of clicking on things that they did not explicitly request or are not expecting."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."