CSRF Vulnerability in Instagram Allowed Hackers to Make Private Profiles Public

Facebook has addressed the issue, but it took the company around 6 months to do it

By on February 10th, 2014 14:59 GMT

Independent security researcher Christian Lopez Martin has identified a cross-site reference forgery (CSRF) vulnerability in Instagram that could have been leveraged to gain access to users’ photos and information by making their private profiles public.

The expert found that the service didn’t use any mechanism to prevent CSRF attacks. This allowed him to create a simple CSRF exploit.

The security hole was first reported to Facebook on August 22, 2013. Facebook deployed a fix on September 6, but the researcher found a way to bypass it.

A second fix was rolled out, but it too turned out to be ineffective. Instagram was properly patched against CSRF attacks only on February 4, 2014.

Additional technical details on this Instagram CSRF vulnerability are available on the security researcher’s blog.
CSRF vulnerability in Instagram fixed by Facebook
   CSRF vulnerability in Instagram fixed by Facebook
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments