Facebook quickly patches Instagram vulnerability

Only locked Instagram accounts were exposed.
Only locked Instagram accounts were exposed.

Facebook reacted quickly to word that there was a vulnerability with certain Instagram accounts that could have allowed them to be compromised and fixed the issues in less than a day.

The problem was spotted by security researcher Arne Swinnen. Swinnen, in a blog post, said he was in the process of restarting an old Instragram account, which required verifying his account information, when he spotted two security problems.

He saw that Instagram, which is owned by Facebook, posted some of his user details on the verification page that – when used with certain operations – could allow for the account password to be reset by an unauthorized user.

However, the second issue could set off a domino effect that by stages would eventually reveal account holder personal information.

Swinnen found that Instagram put the account user ID in the URL. Compounding the problem was that the ID number could be edited. And so, by simply increasing the number by one each time, access could be gained to other accounts because the account numbers were issued sequentially and not in a scrambled fashion.

A portion of these accounts, about 3.9 percent, had a telephone number that was attached and that came up on the account verification page being exposed to anyone who had managed to get this far.

The vulnerability was only found on locked Instagram accounts.

Once notified, Facebook quickly corrected the issue and gave Swinnen a $5,000 bounty for bringing the problem to its attention.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS