- It has been officially confirmed that users’ personal information could have been stolen by hackers because of a vulnerability in Instagram, a Facebook-owned social media platform.
- The vulnerability, that has been fixed now, was reported by an Israeli hacker in early August.
The big picture
An Israeli hacker who goes by @ZHacker13 discovered a vulnerability in Instagram that allowed hackers to retrieve user details.
- The user details involved phone and account numbers associated with usernames on Instagram.
- @ZHacker13 reported the vulnerability to Facebook in early August, but the social media platform classified it as low risk.
- A month later, Facebook confirmed the vulnerability and that the internal teams were already aware of it.
- Later, the vulnerability was patched. @ZHacker13 was initially refused the reward because the internal teams were already aware of the security flaw.
- Now Facebook has promised a reward after reconsidering the discovery of the vulnerability.
Exploiting the vulnerability
An attacker could obtain the data using bots and processors to bypass the application’s security.
- First, the attacker can check for phone numbers linked with active Instagram accounts with an algorithm.
- Then, the attacker can abuse Instagram’s Sync Contact feature to find the name and account associated with the number.
- Instagram limits syncing for an account to thrice a day. But this limitation applies to a single bot, and there is no check on how many bots can run the same process.
“In theory, I can get all Instagram users’ details and phone numbers,” says @ZHacker13.
What does this mean for users?
There is no information about the vulnerability being exploited in the wild. Although Facebook has confirmed that it has fixed the issue, there are no further details available about the fix.
A Facebook spokesperson told SC Media, “We’ve made a change to the contact importer on Instagram to help prevent the kind of abuse outlined by the researcher and will reward him in line with our policies.”