Facebook has patched two vulnerabilities which affected
approximately one million users of Instagram and left their accounts
open to compromise.
The social networking giant awarded $5,000
to Belgian security researcher Arne Swinnen, who discovered the security
flaw, as part of the firm's bug bounty program. According to a blog post published on Friday,
Swinnen came across two security weaknesses while accessing an old test
account on the photo-sharing platform. The researcher has disclosed
Instagram vulnerabilities in years past, and once he returned to his
test account, Swinnen was redirected to a page which required account
verification due to inactivity.
There was no linked phone number on this account, so Swinnen's only available option was through email verification. The security researcher quickly noticed that the page not only
contained missing authentication protocols but the address also included
the Instagram account's unique user ID. While this in itself isn't
necessarily a problem, by plugging in the right numbers, Swinnen was
able to visit the landing pages of a small percentage of temporarily
locked accounts -- and was then able to update their email addresses.
"Once an attacker could set the email address linked to an Instagram
account, he/she could perform a password reset via email and gain full
access to it," the researcher notes. "Big security impact, but only 0.17
percent of accounts affected."
Overall, the problem affected four percent of existing and active
Instagram accounts in a locked state, which equates to approximately one
million users. With further exploration, the researcher found
he was also able to update and change phone numbers linked to these
vulnerable accounts, perform the "reset password via SMS" process and
then completely take over an account.
No comments:
Post a Comment