Instacart SMS Link Spoofing Vulnerability

When purchasing an item from Instacart via the web interface, post-checkout, users that do not have the mobile app are given the option to have a download link sent to them once order tracking becomes available. When doing so, a user is able to control the link that is sent to them. The message generated by this endpoint to be sent to a user via SMS comes from the same phone numbers and services that all other legitimate Instacart SMS messages come from -- such as order updates, delivery notices, etc.

 

The affected domain is: https://www.instacart.com/

The affected endpoint is: "/welcome/request_invite?source=web&warehouse_id=<warehouse id>&zone_id=<zone id>"

 

Submitting a POST request to this endpoint with valid cookies, visitor ID, and order numbers with the following form-encoded parameters allows a malicious actor to send spoofed messages to any phone number with a link of their choice as Instacart.

 

phone=5551234567&link=https%3a%2f%2fattacker.com

 

There do appear to be some precautions in place that inadvertently mitigate some of the impact of this flaw, but they are relatively easy to bypass. For instance, this endpoint is not easily accessible as it requires a purchase to have been made to appear (we did, however, confirm arbitrary usage by placing an order to obtain the link and then cancelling the order). Additionally, after a short period of time, this endpoint does stop sending messages and requires a new session to be created, which limits the amount of messages that an attacker can send at once.