In August of last year, Lopez discovered a bug in Facebook’s popular photo-sharing app that would have let hackers invisibly switch a user’s Instagram privacy settings from private to public. And though the flaw is now fixed as of February 4th, it persisted for nearly six months after Lopez reported it to Facebook’s security team due to what he describes as multiple missteps that failed to fully patch the problem.
“They gave me good support and response,” says Lopez, an independent security researcher based in Barcelona, Spain, who I contacted via instant message. Lopez says he was paid a “four figure” reward by Facebook as part of its “bug bounty” program for researchers who report hackable flaws in its software. But he says he was still surprised at how long the company’s fix required. “Six months to properly fix this issue was more than expected.”
The Instagram hack used a common technique called cross-site request forgery, which allows a carefully crafted link to steal the cookies associated with another site stored by a user’s browser. So Lopez’s exploit would have required tricking the user into clicking on a link, say in a phishing email. But if a user clicked and had logged in to Instagram at any point, the trick would likely allow the attacker to change the user’s privacy settings at will via Instagram’s API.
The exploit affected users of iOS and Android equally, Lopez says. “You click the link in your browser, and your profile will be set to public,” he writes.
Lopez says that Facebook issued an initial fix for the problem less than a month after his report, but it failed to fix the problem for cookies that predated the fix, which would still leave most users vulnerable. And in January of this year, Lopez says he discovered a code change on Instagram’s platform had opened up the original bug again, so that even users with new cookies became vulnerable. The full timeline of his interactions with Facebook is posted on his blog here.
I’ve reached out to Instagram for comment, and I’ll update this post if I hear back from the company.
Lopez says there’s no telling how long the bug had persisted in Instagram before his report, either. His work should serve as a reminder not to click on links sent in emails from strangers, and to think twice before posting sensitive content to social media–even when it’s hidden behind the fig leaf of a “private” account.
Follow me on Twitter, email me, anonymously send me sensitive documents or tips, and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.