Users of the 'Download your data' tool on public PCs exposed

Nov 19, 2018 20:03 GMT  ·  By

Instagram, the multimedia sharing platform owned by Facebook and the home of roughly 1 billion monthly active users during June 2018, disclosed that they leaked the passwords of individuals who used the 'Download Your Data' feature on public computers.

Ironically, the 'Download Your Data' tool was introduced by Instagram in April to allow their users to quickly get an idea of all the data they shared on the social platform, as a response to the European General Data Protection Regulation (GDPR), enacted on May 25, 2018.

However, in a twisted turn of fate, the tool which should've helped Instagram's users get an overview of all the data Instagram collected actually managed to reveal their passwords in plain text as reported by The Information.

"If you want a copy of everything you've shared on Instagram, you can request a download of your data in a machine readable (JSON) format," says Instagram's support website. "You'll need your Instagram account password to request this information."

To be more exact, all users who employed 'Download your Data' to download an archive of all the data they shared on Instagram had their password exposed by being included in the tool's URL.

Facebook asked Instagram users to reset their passwords

Although any Instagram user who used the 'Download your data' tool could have been affected by this security issue, a spokesperson of the multimedia sharing platform told The Information on Thursday that the bug was "discovered internally and affected a very small number of people."

What is interesting is that Instagram did not say when the issue was discovered, did not say what is the exact number of users affected, nor what was the mechanism that led to the bug.

Even though Instagram did not say anything about how the passwords were exposed in plain text in the first place, it's easy to conclude and evident that they were stored without being encrypted given that no programming bug would accidentally decrypt passwords and then add them to URLs.

Given that Instagram is owned by Facebook and they also have a quite lousy cybersecurity record as it is with multiple critical security breaches during 2018, a severe security issue affecting Instagram was long overdue.

According to The Information's report, Facebook sent notifications to Instagram users saying that the bug affecting the Instagram 'Download your data" feature was fixed, and that passwords need to be reset and browser caches cleared as a precautionary measure.