Pierluigi Paganini September 15, 2019

Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information.

The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including user phone number and real name.

ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue. The social network giant has finally fixed the flaw.

“In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”

The expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details.

Just a week before ZHacker13 disclosed the bug, phone numbers associated with 419 million accounts of the social network giant were exposed online.

It is not clear if the two incidents could have the same root cause.

“I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about pathing it.” Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.”

The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form.

The attack scenarios is composed of two steps:

• The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
• The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.

A Facebook spokesman explained that his company modified the contact importer in Instagram to address the flaw.

“we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.” said the spokesman.

Facebook, after initial resistance, confirmed it is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.

“Facebook had also told @ZHacker13 that although the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.” continues the post. “This would have set a terrible precedent and disincentivized researchers from coming forwards with similar vulnerabilities. I questioned Facebook on its decision, and the company reconsidered and told me it has “reassessed” the discovery of the bug and would reward the researcher after all. “

Facebook pointed out that there is no evidence that any user data has been abused by threat actors.  

Pierluigi Paganini

(SecurityAffairs – Instagram, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]