Security hole

Instagram Security Tool Pysa – Facebook publishes Sourcecode

Instagram Security Tool Pysa – Facebook publishes Sourcecode

In order to check their own software for security relevant errors and security holes, the developers of Instagram use the security tool Pysa (this is the name it unfavorably shares with ransomware). The source code for this tool has now been disclosed and made freely available to Facebook.

Instagram Security: Static analysis with Pysa

Sooner or later every software has errors during its life cycle. Finding and fixing these errors is not always easy, especially when you have millions of lines of code to consider. An automatic, static code analysis helps here. This means that the program code is automatically checked for problems before compilation and execution. Most static checking programs look for a large number of errors and bugs, but the Instagram Security Tool Pysa specializes in security problems. Security-related errors in the program code are particularly critical, as it is precisely these errors that create security holes and can be exploited. For this purpose, Pysa specifically checks which data is processed by the program and how, and should then recognize which data flows contain a security risk. An example where a data flow can become dangerous is “Remote Code Execution” or RCE. This attack becomes possible if the attacker succeeds in smuggling command sequences into a program flow. If the infiltrated program runs with increased privileges, this can have serious consequences!

Pysa comes with Pyre
The Instagram Security Tool Pysa comes with Pyre (source: screenshot

Not a whole new approach

Already last year Facebook presented the static analysis tool Zoncolan, but this is not open source. Zoncolan is also designed to analyze programs written in “hack”, a language that is largely internal to Facebook. Instagram, however, is not written in Hack, but in Python, so the Instagram Security Tool Pysa is made for the analysis of Python programs, which is much more relevant for the rest of the world. Python is a very popular and widely used programming language, so disclosing the Pysa source code should be of interest to many developers, especially of security related software. Python tools for downloading Instagram Posts have been considered in the past.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.