Menu
Three Breast Woman Jasmine Tridevil is a Hoax

Three Breast Woman Jasmine Tridevil is a Hoax

iPhone 6 Plus Has Not the Best Smartphone Screen

iPhone 6 Plus Has Not the Best Smartphone Screen

Amber Heard Topless Photo Leaked

Amber Heard Topless Photo Leaked

Kim Kardashian Leaked Photos Backlash

Kim Kardashian Leaked Photos Backlash

Stephanie Beaudoin Dubbed Worlds Hottest Criminal

Stephanie Beaudoin Dubbed Worlds Hottest Criminal

Instagram Bug Let Hackers Peak At Private Photos

Feb 10 2014, 6:47pm CST | by , in News | Technology News

Instagram Bug Let Hackers Peak At Private Photos
 
 

YouTube Videos Comments

Full Story

Instagram Bug Let Hackers Peak At Private Photos

If at any point before last Tuesday you suddenly found your private Instagram pics embarrassingly exposed to public perusal, Christian Lopez might be able to offer an explanation.

In August of last year, Lopez discovered a bug in Facebook’s popular photo-sharing app that would have let hackers invisibly switch a user’s Instagram privacy settings from private to public. And though the flaw is now fixed as of February 4th, it persisted for nearly six months after Lopez reported it to Facebook’s security team due to what he describes as multiple missteps that failed to fully patch the problem.

“They gave me good support and response,” says Lopez, an independent security researcher based in Barcelona, Spain, who I contacted  via instant message. Lopez says he was paid a “four figure” reward by Facebook as part of its “bug bounty” program for researchers who report hackable flaws in its software. But he says he was still surprised at how long the company’s fix required. “Six months to properly fix this issue was more than expected.”

The Instagram hack used a common technique called cross-site request forgery, which allows a carefully crafted link to steal the cookies associated with another site stored by a user’s browser. So Lopez’s exploit would have required tricking the user into clicking on a link, say in a phishing email. But if a user clicked and had logged in to Instagram at any point, the trick would likely allow the attacker to change the user’s privacy settings at will via Instagram’s API.

The exploit affected users of iOS and Android equally, Lopez says. “You click the link in your browser, and your profile will be set to public,” he writes.

Lopez says that Facebook issued an initial fix for the problem less than a month after his report, but it failed to fix the problem for cookies that predated the fix, which would still leave most users vulnerable. And in January of this year, Lopez says he discovered a code change on Instagram’s platform had opened up the original bug again, so that even users with new cookies became vulnerable. The full timeline of his interactions with Facebook is posted on his blog here.

I’ve reached out to Instagram for comment, and I’ll update this post if I hear back from the company.

Lopez says there’s no telling how long the bug had persisted in Instagram before his report, either. His work should serve as a reminder not to click on links sent in emails from strangers, and to think twice before posting sensitive content to social media–even when it’s hidden behind the fig leaf of a “private” account.

Follow me on Twitteremail meanonymously send me sensitive documents or tips, and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.

 

Source: Forbes

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Jim Harbaugh Hopes to Revive Struggling San Francisco 49ers
Jim Harbaugh Hopes to Revive Struggling San Francisco 49ers
San Francisco 49ers head coach Jim Harbaugh hopes to revive his struggling team after it suffered its second loss in three outings on Sept. 21 at the hands of its NFC West rivals, the Arizona Cardinals.
 
 
Final Fantasy XIII Comes to PC In October
Final Fantasy XIII Comes to PC In October
Square Enix Announces All Three Titles Will Cross Platforms
 
 
Lauren Silverman and Simon Cowell Celebrate His 55th B-Day
Lauren Silverman and Simon Cowell Celebrate His 55th B-Day
The couple takes a night off to celebrate in London.
 
 
Tracee Ellis Ross Talks About Her New Comedy &quot;Black-Ish&quot;
Tracee Ellis Ross Talks About Her New Comedy "Black-Ish"
A new comedy premiering on Wednesday.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.