14 DAY TRIAL // Spanish security researcher Sebastián Guerrero has identified a vulnerability in Instagram that could allow an attacker to add himself to anyone’s friend list and access their private information. Dubbed the “friendship vulnerability,” the bug has been addressed in a fairly short amount of time.
The expert found that Facebook’s popular photo-sharing service contained a serious security hole that could be leveraged to launch a brute force attack in the context of the app. By doing so, the attacker could add himself as a friend and gain access to all the pictures and private details stored in the target account.
Apparently, the issue affected both the Android and the iOS version, being caused by “the lack of control on the logic applied to authorization feature.”
To demonstrate his findings, Guerrero added himself as a friend to Mark Zuckerberg’s account and congratulated him for purchasing Instagram.
“Congratulations Mark for Instagram acquisition. When would it be eligible under the bounty bug program? :):),” he wrote to Facebook’s founder.
The researcher reported the vulnerability to Instagram and they quickly acted on addressing it.
“We were recently alerted to a bug in the way our following / followers system works. Due to this bug, in very specific circumstances a following relationship could be created incorrectly,” Instagram explained.
They also added that the “following bug” – as they call it – hasn’t been abused by anyone except for the researcher who performed “minimal experiments.”
Furthermore, they claim that private users and their details haven’t been at risk.
While Instagram should be applauded for fixing the flaw so quickly, we would like to take this opportunity to remind users to be on the lookout for fake versions of the photo-sharing app that have been making the rounds.
Experts have warned on numerous occasions about the malicious applications that pose as Instagram on third party markets.