Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/5/2020
03:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages

Attackers could have exploited the issue to lead online shoppers to malicious websites or to get them to download malware, Tenable says.

Grocery delivery service Instacart has fixed a security flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number.

A security researcher from Tenable Research discovered the vulnerability while using Instacart to buy dog food recently and reported it to the company on April 28. The shopping service fixed the issue on May 1, reducing risk for the millions of users who have begun using the service amid social distancing rules tied to the COVID-19 pandemic.

The problem had to do with a feature on Instacart's website that is designed to get users to download the company's mobile app. After shoppers have placed an order on Instacart's site, they are typically directed to a page where they are asked to enter their mobile phone numbers. Users who do so then receive a link via SMS that they can use to download Instacart's mobile application.

Jimi Sebree, a security research engineer at Tenable, discovered that when an Internet user provides a mobile phone number, a request is sent to a "request_invite" endpoint at Instacart. The request contains parameters such as a store or warehouse ID and a zone ID identifying the regional location of the store.

"The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application," Tenable said in a report on the issue today.

The security researcher found a weakness on Instacart's "request_invite" endpoint that essentially gave attackers a way to capture the user's request link information along with associated security headers and authentication information. He discovered that attackers could then modify the message to send an SMS message containing a malicious link to any phone number of their choice. The recipient would receive an unsolicited SMS appearing to be from Instacart with a link for purportedly downloading the company's mobile app. 

Because attackers would be able to control the link that is sent to the victim via the Instacart SMS message, they could trick users into downloading malware or unwanted applications onto their devices or by directing them to credential and data stealing websites.

Sebree discovered that the information in the link request was valid for only a limited length of time. So attackers would have needed to use that window to craft and send a malicious SMS. They could also simply have canceled an order and placed a new order to get a fresh opportunity to capture another request.

"Each request would target a single phone number," Sebree said in comments to Dark Reading. But an attacker could have theoretically sent as many requests as they wished so long as they had a valid session with Instacart, he says.

"The caveat here is that sending too many messages would allow Instacart to potentially identify the malicious account due to increased traffic," he said.

Heightened Risks
Earlier this year, researchers from Check Point Software Technologies discovered a near-identical vulnerability in the widely popular TikTok video-sharing social media platform. The company's security researchers found that just as with Instacart, attackers could basically send an SMS message with a malicious link to any phone number on behalf of TikTok. The vulnerability was one of several that Check Point discovered within the TikTok application.

For Internet users, such vulnerabilities are another reminder of the need to be cautious when clicking on links or opening messages that are either unsolicited or from people or entities with whom they have had no prior contact.

In recent weeks, attackers have been hammering away at Internet users with a variety of phishing, business email compromise, and other scams using themes related to the COVID-19 pandemic. Most have involved attempts to get users to disclose credentials and other sensitive data or to distribute malware by luring them to malicious sites purporting to offer information on COVID-19.

Collaboration platforms such as Microsoft Teams, Zoom, and Slack have become huge targets for attackers because of the sheer number of people who have begun using them these days to work from home. So far, few reports have shown heightened attacker interest in grocery delivery services like Instacart, Shipt, and others — which have also seen a massive increase in usage in recent weeks because of the pandemic.

Even so, users need to be cautious.

"The main takeaway from this is to be diligent about links you click on. Phishing scams are prevalent in all forms of communication," Sebree said. "Consumers should be wary of clicking on things that they did not explicitly request or are not expecting."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.