News Cloud Security

Instagram Closes Security Hole

A security researcher says the vulnerability could allow people to access photos taken by others, while Instagram says private photos can not be accessed

By Brian Prince, Contributing Writer
Dark Reading July 12, 2012

Instagram says it has fixed a bug spotted by Spanish security researcher Sebastian Guerrero.

Instagram is a free photo-sharing program that allows users to take a photo and apply a digital filter to alter the image. According to Guerrero, a lack of control logic used to process the approval process for requests for friendship meant that an attacker could launch a brute force attack and be added as a "friend" to any account.

More Security Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>

"Being able to access images taken by users of the application and the information posted on their profile," the researcher explained in a blog post. "Also, it was found that this vulnerability also affects users whose album is private, allowing access to photos stored on it."

Guerrero posted a proof-of-concept attack exploiting the issue on his blog, adding himself to a group of people being followed by Facebook CEO Mark Zuckerberg and sending him a message.

"Just give us a tour of the Hollywood celebrity twitter, celebrities, presidents, government, etc.," he blogged. "Access your profile Instagram, get your user ID and automatically exploit this vulnerability. Whether your profile private, we get access to your photos."

According to Instagram, however, the bug did not actually put users' data at risk.

"We don't have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher," the company says, adding that private photos were never made public -- a statement that seems to contradict Guerrero's findings.

Instagram was purchased by Facebook earlier this year. Whether Facebook will face any sanctions for this vulnerability remains to be seen, blogged ESET security evangelist Stephen Cobb.

"One suspects that the Federal Trade Commission will take a look at the matter, given that Facebook is already subject to a 20-year FTC settlement over false claims about protecting the privacy of its users," he noted.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Page 1:

Dark Reading Discussions

Start the Discussion

To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.

Follow Dark Reading

Dark Reading Reports

How Cybercriminals Attack the Cloud

There's a lot for enterprises to like about the cloud computing model: It offers easy access to shared, elastically allocated computing resources; it creates savings on capital expenditure; and it reduces the running costs of operating a network. But all of this comes at the cost of control, which increases security challenges for IT pros. In this Dark Reading report, we examine the threat that cloud computing really poses, and we offer advice for tightening cloud providers' - and your own - security ship.
Identifying and Remediating Security Vulnerabilities In the Cloud

The cloud promises - and often delivers - tremendous cost savings and agility for enterprises. However, whether a company is leveraging the public cloud, a private cloud or some combination thereof, the security equation changes significantly when the cloud is a factor. In this Dark Reading report, we examine the security implications of cloud computing and offer advice for plugging any holes in the model.
Strategy, 5 Keys to Painless Encryption

Encryption is frequently used as the primary method to keep data from being stolen or destroyed. Our 2012 State of Encryption Survey profiles the struggles most IT groups have when trying to manage encryption products. Simply put, the old adage that "encryption is easy, key management is hard" still holds. But we think the game is changing. If you feel stuck with hard decisions and are seeking guidance when it comes to encryption, read on.

Other reports from the Cloud Security Tech Center:

Related Content

Sponsored by

2012 Cyber Risk Report

In the HP 2012 Cyber Risk Report, HP Enterprise Security provides a broad view of the vulnerability landscape, ranging from industry-wide data down to a focused look at different technologies, including web and mobile. This report will provide actionable security intelligence critical for organizations to understand the vulnerability landscape as well as provide insight on how best to deploy their resources to minimize security risk.
Security for the Cloud

The cloud brings with it some unique challenges for security monitoring and management that require careful review and adjustment to security strategies, tools, and policies. Understanding what capabilities become critical in a cloud environment is key. This brief outlines how the HP Security Intelligence Platform delivers security capabilities to protect and defend business functions that rely on the cloud.
Delivering Software Security in the Cloud

Organizations need the ability to test the security of their software quickly, accurately, affordably, and without any software to install or manage. HP Fortify on Demand is an automated on-demand security-as-a-service (SaaS) testing solution that helps organizations ensure the security of their applications licensed from third parties. Download this white paper to learn how HP Fortify on Demand ensures a secure development throughout the software development lifecycle.
Mapping Security for Your Virtual Environment

With the gaining popularity of virtualization in today's enterprise data centers, you need a virtual security solution that allows you to confidently adopt virtualization throughout your data center without compromising on your existing security postures. This brief will detail how HP TippingPoint Secure Virtualization Framework is designed to provide IT personnel a single consolidated, yet flexible solution for extending the HP TippingPoint IPS Series, with its excellent threat protection into the virtualized data center.
Providing Security for Software Systems in the Cloud

This paper details risks to software deployed in the cloud. Some risks impact security in much the same way wherever and however the software is hosted, but many old risks take on new importance when software makes the jump to the cloud. In this paper, we discuss notable concerns in all of these areas and describe an approach for assessing a software system's readiness to be deployed in the cloud.

Free Research and Reports

What's this?From the Editors of DarkReading

More >>

Box Icon

Whitepapers

What's this?

More >>

Box Icon

Dark Reading Digital Magazine

Back Issues

In This Issue

How Hackers Fool Your Employees: People are your most vulnerable endpoint. Make sure your security strategy addresses that fact.
Not All Or Nothing: Effective security doesn't mean stopping all attackers.

Download Now

First Name*:
Last Name*:
Email Address*:
Job Title:
Company/Organization/Gov't Dept.:
*Required field
Privacy Statement

Security

Protect The Business - Enable Access

News Cloud Security

Instagram Closes Security Hole

A security researcher says the vulnerability could allow people to access photos taken by others, while Instagram says private photos can not be accessed

More Security Insights

White Papers

Reports

Webcasts

Related Reading

Dark Reading Discussions

Start the Discussion

Follow Dark Reading

Dark Reading Reports

How Cybercriminals Attack the Cloud

Identifying and Remediating Security Vulnerabilities In the Cloud

Strategy, 5 Keys to Painless Encryption

Sign up for the Dark Reading Daily email newsletter

Free Research and Reports

Whitepapers

Upcoming Events

Dark Reading Digital Magazine

In This Issue

News Cloud Security

Instagram Closes Security Hole

A security researcher says the vulnerability could allow people to access photos taken by others, while Instagram says private photos can not be accessed

More Security Insights

White Papers

Reports

Webcasts

Related Reading

Dark Reading Discussions

Start the Discussion

Follow Dark Reading

Dark Reading Reports

Related Content

Dark Reading Newsletter

Sign up for the Dark Reading Daily email newsletter

Free Research and Reports

Whitepapers

Upcoming Events

Dark Reading Digital Magazine

In This Issue