Facebook patches serious Instagram vulnerability that opened door to data theft
Facebook Inc. has patched a serious vulnerability in its Instagram app that could have allowed a malicious actor to access user data including names, phone numbers and Instagram account numbers.
Discovered by an Israeli hacker known as ZHacker13 and first reported by Forbes Thursday, the vulnerability allowed an attacker to bypass security protections and gain access to information that could be used to build a database of users.
The method involved two stages, the first an attacker brute-forcing Instagram’s login form with random phone numbers to see which numbers are actually associated with an account. According to the hacker, a single machine brute-forcing 15,000 random numbers would on average return around 1,000 valid accounts. The second stage involved abusing Instagram’s Sync Contacts feature to link the phone numbers to their corresponding account names and numbers, along with some other associated user information.
Facebook has now fixed the vulnerability, but that it existed is yet another example of ongoing security and privacy issues at the company. Instagram terminated a partner Aug. 7 and there was concern about the data of younger users July 28.
“Once again, Facebook is in the news for the wrong reason,” Vinay Sridhara, chief technology officer at security posture firm Balbix Inc., told SiliconANGLE. “This Instagram vulnerability comes only one week after reports of 419 million Facebook users’ phone numbers being leaked via a misconfigured third-party database.”
He added that exploiting the Instagram vulnerability would in theory allow an attacker to obtain access to up-to-date phone numbers and other pieces of information for potentially all users. “Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim,” he explained.
Chris DeRamus, co-founder and chief technology officer at cloud security firm DivvyCloud Corp., noted that security vulnerabilities such as this are often the result of a misconfiguration and that organizations must do a better job at ensuring from the outset that their data is protected with automated security controls.
“The fact that the reported vulnerability in Instagram is ‘complex’ to exploit is actually a good indication,” added Jonathan Knudsen, senior security strategist at security provider Synopsys Inc. “A finding of an easily exploitable vulnerability would indicate that something fundamental was wrong with Facebook’s software security methodology. A complex-to-exploit vulnerability is still cause for concern and should influence Facebook’s future bug-hunting efforts, but hopefully, it shows that simpler, more obvious bugs have been addressed already.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.