Instacart Patches SMS Spoofing Vulnerability Discovered by Tenable Research

May 7, 2020

As grocery delivery services have seen an increase in traffic from users during the coronavirus pandemic, Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number.

Background

On May 1, Instacart, the popular grocery delivery and pickup service that saw a ten-fold boost in sales growth in March 2020, patched an SMS spoofing vulnerability that could have been exploited by attackers to send malicious links to arbitrary phone numbers by abusing a feature on Instacart’s website. This vulnerability was identified and reported to Instacart by Jimi Sebree, staff engineer with Tenable’s Zero Day Research Team.

Downloading mobile applications via text

Users who visit popular services via a web browser may be prompted to download the mobile application on their device as a more user-friendly alternative. Some websites offer users the option to send themselves a text message with a link to download the application.

On Instacart, after a user has placed an order via the company’s website, they’re directed to a page offering them the ability to “upgrade” their experience using the Instacart mobile app. Users are asked to provide their mobile number to receive a short message service (SMS) message with a link to download the mobile app.

While this feature seems harmless, it is ripe for exploitation. Researchers at Check Point disclosed a similar vulnerability through TikTok’s website earlier this year.

Analysis

Investigating the vulnerable “request_invite” endpoint

When a user provides their mobile number using this feature on Instacart’s website, a request is made to Instacart’s “request_invite” endpoint.

The request contains parameters such as the warehouse_id and zone_id, which are associated with a store’s ID and regional location. The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application.

In analyzing this endpoint, we found that we could re-purpose the existing request to send an SMS to anyone by modifying the phone number and link parameters, and it would appear as though the message originated from Instacart.

Modifying parameters in the request

In this spoofing scenario, the end user receives an SMS message asking them to download the Instacart App from a fake website.

The message sent to users through this form always includes the “Download the Instacart App:” message at the beginning, but the attacker would be able to control the link and any text included after it.

Capturing request information after placing an order

In order to leverage this flaw in the request_invite endpoint, the attacker would need to place an order using the Instacart website first. Once the order has been placed, the attacker will be able to capture the request information, including the required security headers, such as the x-csrf-token and HTTP cookie. These headers are needed in order to replay the modified request back to the vulnerable endpoint.

Unintended mitigation: Session limitation

In our research, we found that this information was valid only for a limited period of time, so an attacker would need to utilize this window of opportunity in order to send their malicious messages. However, they could cancel their existing order and simply place a new order every time they wanted to capture the request from an active session.

SMS messages and the real-world impact of this vulnerability

Exploitation of this vulnerability would allow an attacker to send SMS messages to unsuspecting users, attempting to convince them to install malware or imposter applications onto their mobile device, or direct them to phishing websites designed to steal their credentials. As the attacker can control the URL sent to a victim, they could point to a host under their control and embed code within the target URL to attempt various exploits determined by the user-agent passed by the victim’s web browser.

Unsolicited SMS messages aren’t new, but they create a unique problem for end users as there’s no way to validate the links they’ve received are, in fact, legitimate. This is further complicated by the use of URL shortening services, which ensure attackers can disguise links to malicious websites.

Impact

At the time of this writing, there is no evidence that this flaw has been used by malicious actors. However, if exploited, an attacker could have used this vulnerability to distribute malware or attempt phishing campaigns.

Vendor response

Tenable notified Instacart of this vulnerability on April 28. Instacart quickly responded to our disclosure, acknowledging and fixing the issue on May 1.

Tenable reviewed additional endpoints on Instacart’s website and found they functioned as expected, and were not susceptible to tampering like the request_invite endpoint.

Solution

As of May 1, this issue has been fixed. Since the flaw was server-side on Instacart’s infrastructure, no updates or action is required by users of their service.

Instacart’s fix simply removes the link parameter from the request so that it cannot be tampered with.

Despite the lack of the link parameter, the user will still receive a link to download the Instacart mobile application.

Protecting against SMS spoofing vulnerabilities

Other services are likely affected by similar SMS spoofing flaws. Until those services address them, the only recourse end users have is to be wary of unsolicited links sent to their mobile devices, even if they originate from a trusted number for a service they’ve used before.


Infraon Desk V2.5 by EverestIMS Technologies a Startup India company, gets certified in 13 Processes of Pink Elephant

May 7, 2020

Infraon Desk V2.5 passed the Pink VERIFY 2011 ITIL processes test for 13 processes, up from its earlier 7 process certification, and is now authorized to use the certification logo for this powerful Service Management tool

BENGALURU, India – May 7, 2020 – EverestIMS Technologies Pvt Ltd (EverestIMS), an Indian software product company with a rich market experience in the I&O and Digital Transformation space, recently received an upgraded ITIL compatible certification from Pink Elephant for Infraon Desk V2.5.

EverestIMS is delighted to announce that Infraon Desk V2.5 has successfully passed the criteria for PinkVERIFY Toolsets, demonstrating 100% of the required functionality and documentation sets for 13 Pink-defined ITIL processes.Prior to this the product had been certified for 7 processes. Since then, EverestIMS had put in consummate efforts towards thrusting the product for a high level of 11 process certifications. Pink Elephant is the world’s leading IT Service Management education and consulting provider.

The Pink Elephant certification is held in the highest regards amongst the entire technology community and is recognized as a beacon of quality and trust. They assessed the Infraon DeskV2.5 tool and confirmed its compatibility in the following ITIL 2011 processes.

  • Asset Management
  • Availability Management
  • Change Management
  • Event Management
  • Incident Management
  • Knowledge Management
  • Problem Management
  • Request Fulfilment
  • Release & Deployment Management
  • Service Asset & Configuration Management
  • Service Catalog Management
  • Service Level Management
  • Service Portfolio Management

Speaking about the certification, Satish Kumar V, CEO at EverestIMS Technologies said: EverestIMS Technologies has once again proven its commitment to providing best practice compatible solutions for its customers. This enhanced Pink VERIFY certification for Infraon DeskV2.5 from 7 to 13 processes demonstrates how EverestIMS understands the importance and value of working to best practices for IT Service Management. As a company rooted in the Make in India ethos we are always looking out to push the envelope in terms of excellence and competitiveness which India thrives upon“.

PinkVERIFY™ is a service that evaluates IT service management (ITSM) tool sets for ITIL compatibility. For a tool to be certified in a certain process, an ITSM vendor must go through a rigorous assessment process, meeting 100 percent of the general, core and integration suitability requirements.

Deepak Gupta, VP – ITSM who helms this product, further added, Since we last successfully completed PinkVERIFY for our product, there has been considerable innovation and development of our features and toolsets to ensure not only that customers’ changing technological and operational needs continue to be met, but also, that our product fully aligns with ITIL to ensure its processes can be easily adopted. It is important for EverestIMS that we have this independent assessment to confirm our adherence to ITIL“.

Feature-rich Infraon Desk V2.5 allows customers to have an added advantage in hassle-free installation and integration of any existing tool. It enables users to streamline ticket collection and assign it to respective technicians manually or automatically. In case of incidents, it directly notifies the desired staff/technician through emails and mobile texts. With its unified and centralized platform, Infraon Desk V2.5, helps organizations in delivering a seamless customer support.

In addition to the above processes, Infraon Desk V2.5 brings to the table a slew of powerful features like Workflow Automation, Multi-Channel communication, SLA & Penalty Management, Collaboration & Field Service and a host of others. To ensure vast customer accessibility, it is also available in SaaS and On-Premise options with Flexible license models that ensure enterprises can derive options that perfectly match their enterprise needs.What this brings to the table is a complete slew of features that ensure companies can satisfy their service management needs through an Indian product rather than look outwards. This powerfully boosts the Make in India initiative towards crucial success that the country needs.

# # #

About EverestIMS

Everest IMS Technologies Pvt. Ltd. (Everest), is an Indian product company rooted to the Make in India ethos. Everest was founded by a group of technocrats who have been working together for over 14 years and have a combined experience of close to 100+ years in the I&O scape. With a rich market experience in the I&O space, the company has built its widespread presence across the country through its product portfolio. The organization specializes in providing integrated IT solutions to empower corporations and enterprises to deliver enhanced services to their end-users.


%d bloggers like this: