It would seem that Facebooks’ Instagram frequently makes it to the news due to its security glitches. Recently, a researcher discovered an Instagram flaw that could let an adversary link users’ contact numbers with their PII data.
Instagram Privacy Flaw Exposed Users’ Account Info
A security researcher with alias ZHacker discovered a security flaw in Instagram exposing users’ account data. As disclosed by Forbes, the researcher found that the flaw exposed Instagram users’ phone numbers linked to their accounts and real names.
Elaborating the discovery, Zak Doffman from Forbes stated that the bug existed in Instagram’s contact importer feature. Abusing this platform together with a brute force attack on the platform’s login form could allow the exploit. As stated in the blog post,
Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.
Specifically, the attack begins when the attacker brute forces a contact number on the platform’s login form for a live account. Extracting contact numbers from Instagram is easily possible using an algorithm which harvests 1000 numbers a day. Then, abusing Instagram’s Sync Contacts feature, the attacker could find the account linked with that phone number.
Though the attack had some limitations, it still remained a serious issue with regards to users’ privacy.
Facebook Patched The Bug
Upon discovering the flaw, ZHacker contacted Facebook to inform them about it. However, Facebook initially did not deem it as serious as it really is. Thus, ZHacker contacted Doffman who helped raise the profile of the discovery.
Eventually, Facebook patched the flaw whilst acknowledging the bug. A Facebook’s spokesperson told Forbes,
We have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.
Recently, another researcher highlighted a vulnerability in Instagram that could allow hacking 1 million accounts within 10 minutes.
Let us know your thoughts in the comments.