Instagram vulnerability: private info at risk
Are you one of the 50-million users of Instagram, the photo-sharing service bought by Facebook in April for $1 billion? If so you need to look out for an Instagram update to fix a vulnerability that has just been published by Spanish security researcher Sebastián Guerrero.
“This vulnerability, which Guerrero has dubbed the “Friendship Vulnerability,” allows people you don’t know to add themselves as a friend to your Instagram account, with privileges that include viewing photos you thought were private,” comments Carey van Vlaanderen, CEO of ESET Southern Africa.
Instagram hasnow placed a notice in its Help Center stating that the vulnerability, which they refer to as “Following Bug,” has been fixed. They also state that, “never in the course of the bug existing was users’ data at risk – and at no point were private photos made public.” That appears to be at odds with what Mr. Guerrero has stated and so it is likely that he will have something to say about this.
Instagram is one of the most successful apps for mobile devices using Android or iOS (iPhones, iPads, and iPods) and allows users to add fancy filters to photos or to give them a retro or vintage style and then share them across multiple social networks. Signing up for Instagram from a mobile device is very easy, after which users can access the service via the Instagram website. The iTunes store says: “50 million people love Instagram!”
But will these users be pleased to hear about this vulnerability with regards to howInstagram handles their privacy? As described in Guerrero’s Spanish blog (English translation) the hole in Instagram’s code is a pretty big one, for example, enabling a malicious person to enter the select group of people that some celebrity follows, access images a particular user has created, and also their personal information. This “Friendship Vulnerability” affects even private albums, potentially allowing a stranger to access them and see the pictures that are stored with a Private setting.
“While we wait for this vulnerability to be solved, our best advice to all South African Instagram users is not to store any sensitive pictures using this app because, by exploiting this vulnerability, just about anyone could access your profile and see it,” adds van Vlaanderen.
In Guerrero’s cheeky Instagram message to Mark Zuckerberg in his blog post, and its English translation now on pastebin, Sebastián Guerrero has described the details of how this vulnerability works. Basically, there is a lack of control over input, the kind of programming mistake that should not find its way into production, often indicative of a lack of adequate code review and pre-production testing. Guerrero also shows an example in which he adds himself to the people followed by Mark Zuckerberg and even sends the Facebook billionaire a message of congratulation on buying Instagram.
Whether Facebook, the owner of Instagram, will face any sanctions for this vulnerability remains to be seen. One suspects that the Federal Trade Commission will take a look at the matter, given that Facebook is already subject to a 20 year FTC settlement over false claims about protecting the privacy of its users.