Instagram Bug Let Hackers Peak At Private Photos

Posted: Feb 10 2014, 6:47pm CST | by , Updated: Feb 10 2014, 6:50pm CST, in Technology News


This story may contain affiliate links.

Instagram Bug Let Hackers Peak At Private Photos

If at any point before last Tuesday you suddenly found your private Instagram pics embarrassingly exposed to public perusal, Christian Lopez might be able to offer an explanation.

In August of last year, Lopez discovered a bug in Facebook’s popular photo-sharing app that would have let hackers invisibly switch a user’s Instagram privacy settings from private to public. And though the flaw is now fixed as of February 4th, it persisted for nearly six months after Lopez reported it to Facebook’s security team due to what he describes as multiple missteps that failed to fully patch the problem.

“They gave me good support and response,” says Lopez, an independent security researcher based in Barcelona, Spain, who I contacted via instant message. Lopez says he was paid a “four figure” reward by Facebook as part of its “bug bounty” program for researchers who report hackable flaws in its software. But he says he was still surprised at how long the company’s fix required. “Six months to properly fix this issue was more than expected.”

The Instagram hack used a common technique called cross-site request forgery, which allows a carefully crafted link to steal the cookies associated with another site stored by a user’s browser. So Lopez’s exploit would have required tricking the user into clicking on a link, say in a phishing email. But if a user clicked and had logged in to Instagram at any point, the trick would likely allow the attacker to change the user’s privacy settings at will via Instagram’s API.

The exploit affected users of iOS and Android equally, Lopez says. “You click the link in your browser, and your profile will be set to public,” he writes.

Lopez says that Facebook issued an initial fix for the problem less than a month after his report, but it failed to fix the problem for cookies that predated the fix, which would still leave most users vulnerable. And in January of this year, Lopez says he discovered a code change on Instagram’s platform had opened up the original bug again, so that even users with new cookies became vulnerable. The full timeline of his interactions with Facebook is posted on his blog here.

I’ve reached out to Instagram for comment, and I’ll update this post if I hear back from the company.

Lopez says there’s no telling how long the bug had persisted in Instagram before his report, either. His work should serve as a reminder not to click on links sent in emails from strangers, and to think twice before posting sensitive content to social media–even when it’s hidden behind the fig leaf of a “private” account.

Follow me on Twitter, email me, anonymously send me sensitive documents or tips, and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.

Source: Forbes

This story may contain affiliate links.


Find rare products online! Get the free Tracker App now.

Download the free Tracker app now to get in-stock alerts on Pomsies, Oculus Go, SNES Classic and more.

Latest News


The Author

Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.




comments powered by Disqus