Facebook confirmed that a security vulnerability on Instagram put users data at risk leaving them open to attacks.
Israeli hacker, @ZHacker13 discovered the flaw, and found that it would allow threat actors access to user’s account details, names and phone numbers. Essentially the security on Instagram was being bypassed.
In a report by Forbes, the attacker first uses an algorithm to brute force Instagram’s login form with random numbers to see which ones are linked to the account. The hacker @ZHacker13 expects that a machine brute-forcing 15,000 requests, will return around 1,000 numbers.
Secondly, the attacker exploits Instagram’s Sync Contacts feature which links phone numbers to their corresponding accounts and other user information.
“Ordinarily this would return a mass of account numbers and names, with no ability to link those account details to phone numbers. But, if the contact list has a single number in it, then it will return the linked details.”
The hacker stressed that a threat actor could build “a large database of millions of Instagram users’ records.”
The vulnerability has now been fixed, and a spokesperson from Facebook said to Forbes: “we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.”
Although fixed, the fact that the vulnerability existed is an issue in itself. ESET’s Lukas Stefanko explained to Forbes this was a data leaking bug, and “even though Instagram uses a Sync Contacts restriction – max three scans in 24 hours – this could be misused by creating bot accounts.”
There is no evidence of any user data being exploited or abused.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.