Breaking Xconomy news on Instagram privacy hole

247 views
Skip to first unread message

Wade Roush

unread,
Jul 11, 2012, 10:34:34 PM7/11/12
to wade...@googlegroups.com
Friends -- I promise not to hit you with breaking news very often (this is the first time), but I've just published an important story, and I'm trying to spread the word. An independent security researcher in Spain has reported that there's a flaw in Instagram that could allow hackers to gain access to an Instagram user's photos, even if the user's account is set to "private."

Here's the full URL:


And here's the short version suitable for tweeting: bit.ly/LQhuqh

Thanks! Read on...

Insta-Friends? Spanish Hacker Reports Big Instagram Privacy Hole

Instagram was never the most private of apps. The photos you share there are public by default, meaning they’re visible to all of your followers. And you can “follow” any Instagram user you like—unless that user has selected the “photos are private” option in the app’s privacy settings. In that case, the user has to approve your follow request before you can see any of their photos.

But it turns out that the privacy option may be less private than users thought.

Sebastián Guerrero, a Spanish security researcher also known by the Twitter handle0xroot, disclosed today on his blog (English translation here) that he’s discovered a loophole in Instagram’s code that could allow malicious hackers to bypass the approval process for private accounts. By exploiting the vulnerability, hackers could add themselves as followers to any Instagram account—even private accounts—without permission. From there, they could access any photo or album associated with an account.

Guerrero published the details of the weakness early today, calling it the “Friendship Vulnerability.” In a tweet, he says he notified Instagram about the problem, but has received no response. “They didn’t answer me. So I took the decision to make it public,” Guerrero said.

Instagram is used by more than 50 million people and is the most popular photo-sharing app for Apple and Android smartphones. In April, Facebook bought the San Francisco-based startup that developed the app for $1 billion.

In his post, Guerrero details the mechanism by which an outsider could gain access to an Instagram user’s friend list. It exploits a similarity in the way the app handles approved and rejected friendship requests. In essence, Guerrero showed that it’s possible to trick Instagram’s servers into adding a new follower to any account, even if the account is private.

To drive home the point, Guerrero showed an example in which he added himself to Facebook CEO Mark Zuckerberg’s Instagram friend list, and even sent Zuckerberg a message. “Congratulations Mark for Instagram acquisition,” the message read. “When would it be eligible for bounty bug program?”

Stephen Cobb, a security evangelist at  Bratislava, Slovakia-based ESET,blasted Instagram over the vulnerability in a blog post this afternoon, calling it “the kind of programming mistake that should not find its way into production, often indicative of a lack of adequate code review and pre-production testing.”

“While we wait for this vulnerability to be solved, our best advice to all Instagram users is not to store any sensitive pictures using this app because, by exploiting this vulnerability, just about anryone could access your profile and see it,” Cobb wrote.

Neither Instagram nor Facebook have commented publicly on the vulnerability. Facebook did not immediately respond to an e-mail requesting comment on the situation.



Wade Roush | Chief Correspondent and San Francisco Editor, Xconomy
office 415.796.3024 | cell 857.272.1948
wro...@xconomy.com | twitter @wroush
699 Mississippi Street, Suite 206 | San Francisco, CA 94107
What to pitch me | No embargoes please
Sign up to receive daily email newsletters and event notices from Xconomy


Reply all
Reply to author
Forward
0 new messages