Security News Instagram accidentally exposed some user passwords through its data download tool

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Instagram has notified some of its users that their password might have been exposed due to a security bug, according to The Information (via Engadget). A spokesperson for the company says that the issue was “discovered internally and affected a very small number of people.”

In this instance, the bug was tied to a feature that the company rolled out in April that allows users to download all of their data, implemented after European lawmakers rolled out its General Data Protection Regulation (GDPR). According to Instagram, some users who used that feature had their passwords included in a URL in their web browser, and that the passwords were stored on Facebook’s servers, Instagram’s parent company. A security researcher told The Information that this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company. An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords.

Instagram says that it has since fixed the feature so that passwords won’t be exposed, and told users that they should change their passwords, as a precaution. In a statement to The Verge, an Instagram spokesperson says that “if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.”
 

ChemicalB

Level 8
Verified
Sep 14, 2018
360
I don't use social as a personal choice, but I see profiles of people who share their lives entirely: photos, video, children, house, job...
Are they aware of what this means ? A password that was inadvertently shared can mean that someone can access their life.
On one side there is a security issue, a bug can happen of course, but from the other one I wonder how many people are really concerned about the sharing of their accounts .... being too busy to share their life.
 
E

Eddie Morra

Deleted my Instagram a few days ago. Its owned by Facebook and we know how good Facebook is with people's data.
5 years from now, there might be rehab clinics for Facebook services, or a world-wide campaign to improve the quality of human life by being "Facebook free".
 
  • Like
Reactions: upnorth and 37507
E

Eddie Morra

Hope it don't happen again.
It's inevitably going to happen again, but the likelihood is it'll happen as a result of something else in the future.

1. New features will rise the threat surface levels and eventually this leads to zero-day vulnerabilities being abused by resourceful threat actors.
2. Bad quality of work being produced (e.g. employees being forced to hurry up if they want to keep their jobs/whilst being threatened to be sacked or just being ignorant/lazy) is bound to introduce new vulnerabilities or potentially allow previously unknown but not exploitable vulnerabilities to become exploitable.
3. Lack of auditing causes more security risks to remain unnoticed.
4. Vulnerabilities planted intentionally (e.g. insider employees working for government agencies, employees going rogue for the criminal world, or the company agreeing to assist in X) whilst preferably making it look accidental and as difficult to discover by people who were not involved in the plans.

It's simply a game of time.

1. How long will it take until X is compromised?
2. How long until company X learn about the compromise?
3. How long until company X can recover from the compromise?
4. How long until the customers learn about the compromise of company X?
5. What will company X do to improve for the future, if anything?

Bottom line: nothing is perfect and given how things work realistically in most work-place environments when it comes to software development, there's an endless supply of opportunities in vulnerability research (this makes some very talented and patient people extremely rich).
 
  • Like
Reactions: upnorth

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Bottom line: nothing is perfect and given how things work realistically in most work-place environments when it comes to software development, there's an endless supply of opportunities in vulnerability research (this makes some very talented and patient people extremely rich).
I agree with this entire quote wholeheartedly.

~LDogg
 
  • Like
Reactions: Eddie Morra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top