Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:21 PM

Instagram Closes Security Hole

A security researcher says the vulnerability could allow people to access photos taken by others, while Instagram says private photos can not be accessed

Instagram says it has fixed a bug spotted by Spanish security researcher Sebastian Guerrero.

Instagram is a free photo-sharing program that allows users to take a photo and apply a digital filter to alter the image. According to Guerrero, a lack of control logic used to process the approval process for requests for friendship meant that an attacker could launch a brute force attack and be added as a "friend" to any account.

"Being able to access images taken by users of the application and the information posted on their profile," the researcher explained in a blog post. "Also, it was found that this vulnerability also affects users whose album is private, allowing access to photos stored on it."

Guerrero posted a proof-of-concept attack exploiting the issue on his blog, adding himself to a group of people being followed by Facebook CEO Mark Zuckerberg and sending him a message.

"Just give us a tour of the Hollywood celebrity twitter, celebrities, presidents, government, etc.," he blogged. "Access your profile Instagram, get your user ID and automatically exploit this vulnerability. Whether your profile private, we get access to your photos."

According to Instagram, however, the bug did not actually put users' data at risk.

"We don't have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher," the company says, adding that private photos were never made public -- a statement that seems to contradict Guerrero's findings.

Instagram was purchased by Facebook earlier this year. Whether Facebook will face any sanctions for this vulnerability remains to be seen, blogged ESET security evangelist Stephen Cobb.

"One suspects that the Federal Trade Commission will take a look at the matter, given that Facebook is already subject to a 20-year FTC settlement over false claims about protecting the privacy of its users," he noted.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
PUBLISHED: 2019-12-10
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
PUBLISHED: 2019-12-10
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
PUBLISHED: 2019-12-10
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
PUBLISHED: 2019-12-10
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.