Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information.
The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including
ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue. The social network giant has finally fixed the flaw.
“In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”
The expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details.
Just a week before ZHacker13 disclosed the bug, phone numbers associated with 419 million accounts of the social
It is not clear if the two incidents could have the same root cause.
“I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about
The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form.
The attack scenarios is composed of two steps:
- The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
- The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.
A Facebook spokesman explained that his company modified the contact importer in Instagram to address the flaw
Facebook, after initial resistance, confirmed it is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.
“Facebook had also told @ZHacker13 that although the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.” continues the post. “This would have set a terrible precedent and
Facebook pointed out that there is no evidence that any user data has been abused by threat actors.
The post A bug in Instagram exposed user accounts and phone numbers appeared first on Security Affairs.