Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/5/2020
03:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages

Attackers could have exploited the issue to lead online shoppers to malicious websites or to get them to download malware, Tenable says.

Grocery delivery service Instacart has fixed a security flaw on its website that would have allowed attackers to send SMS messages containing malicious links to any mobile number.

A security researcher from Tenable Research discovered the vulnerability while using Instacart to buy dog food recently and reported it to the company on April 28. The shopping service fixed the issue on May 1, reducing risk for the millions of users who have begun using the service amid social distancing rules tied to the COVID-19 pandemic.

The problem had to do with a feature on Instacart's website that is designed to get users to download the company's mobile app. After shoppers have placed an order on Instacart's site, they are typically directed to a page where they are asked to enter their mobile phone numbers. Users who do so then receive a link via SMS that they can use to download Instacart's mobile application.

Jimi Sebree, a security research engineer at Tenable, discovered that when an Internet user provides a mobile phone number, a request is sent to a "request_invite" endpoint at Instacart. The request contains parameters such as a store or warehouse ID and a zone ID identifying the regional location of the store.

"The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application," Tenable said in a report on the issue today.

The security researcher found a weakness on Instacart's "request_invite" endpoint that essentially gave attackers a way to capture the user's request link information along with associated security headers and authentication information. He discovered that attackers could then modify the message to send an SMS message containing a malicious link to any phone number of their choice. The recipient would receive an unsolicited SMS appearing to be from Instacart with a link for purportedly downloading the company's mobile app. 

Because attackers would be able to control the link that is sent to the victim via the Instacart SMS message, they could trick users into downloading malware or unwanted applications onto their devices or by directing them to credential and data stealing websites.

Sebree discovered that the information in the link request was valid for only a limited length of time. So attackers would have needed to use that window to craft and send a malicious SMS. They could also simply have canceled an order and placed a new order to get a fresh opportunity to capture another request.

"Each request would target a single phone number," Sebree said in comments to Dark Reading. But an attacker could have theoretically sent as many requests as they wished so long as they had a valid session with Instacart, he says.

"The caveat here is that sending too many messages would allow Instacart to potentially identify the malicious account due to increased traffic," he said.

Heightened Risks
Earlier this year, researchers from Check Point Software Technologies discovered a near-identical vulnerability in the widely popular TikTok video-sharing social media platform. The company's security researchers found that just as with Instacart, attackers could basically send an SMS message with a malicious link to any phone number on behalf of TikTok. The vulnerability was one of several that Check Point discovered within the TikTok application.

For Internet users, such vulnerabilities are another reminder of the need to be cautious when clicking on links or opening messages that are either unsolicited or from people or entities with whom they have had no prior contact.

In recent weeks, attackers have been hammering away at Internet users with a variety of phishing, business email compromise, and other scams using themes related to the COVID-19 pandemic. Most have involved attempts to get users to disclose credentials and other sensitive data or to distribute malware by luring them to malicious sites purporting to offer information on COVID-19.

Collaboration platforms such as Microsoft Teams, Zoom, and Slack have become huge targets for attackers because of the sheer number of people who have begun using them these days to work from home. So far, few reports have shown heightened attacker interest in grocery delivery services like Instacart, Shipt, and others — which have also seen a massive increase in usage in recent weeks because of the pandemic.

Even so, users need to be cautious.

"The main takeaway from this is to be diligent about links you click on. Phishing scams are prevalent in all forms of communication," Sebree said. "Consumers should be wary of clicking on things that they did not explicitly request or are not expecting."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...