Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/19/2018
11:15 AM
50%
50%

Instagram Privacy Tool Exposed Passwords

The 'Download Your Data' tool, intended to improve users' privacy, actually became a privacy risk.

Instagram is notifying users affected by the accidental exposure of plaintext passwords via its Download Your Data tool, which was ironically intended to preserve their privacy.

Download Your Data, a new feature introduced earlier this year, gives account holders a way to view all the information Instagram has: photos and videos shared, comments, and profile information, for example. The tool was developed amid privacy concerns following Facebook's Cambridge Analytica scandal and the rollout of General Data Privacy Regulation in Europe.

Unfortunately, Download Your Data may have exposed users' passwords, The Information reports. For a short period of time, users who logged in to the tool could see their password in the page's URL. The password was only exposed to the user but was stored on Facebook's servers – a problem for anyone on a shared machine or compromised network, Fortune notes.

Instagram has fixed the bug and has deleted saved passwords. Read more details here.

 

 Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
11/28/2018 | 8:10:17 PM
How can they expect people to use their products
How can they expect people to use their products if it's quite blatant that there are violations in privacy when it comes to using their applications? People had better think properly when it comes to downloading and using some of these programs if they don't want all their data to be copied or worse, wiped out! Let's just hope that there's a patch for this coming soon...
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.