Facebook has conceded that a security vulnerability in Instagram has put users data at risk, leaving Instagrammers on the line of cyber-attacks, reported Forbes. The vulnerability was flagged by an Israeli hacker who goes by the Twitter handle @ZHacker13.
This particular flaw helped attackers access the details linked to Instagram accounts, such as the real names of users, account numbers and Instagram handles, and phone numbers. The Israeli hacker was successful in harvesting user data that was supposed to be secure, said the report.
Facebook has now patched the vulnerability, the report added.
Synopsys senior security strategist Jonathan Knudsen said he considers this as a good development when it comes to data security in social media.
"Software security is an organisational skill. No matter how good you are, there's always room for improvement. The fact that the reported vulnerability in Instagram is ‘complex’ to exploit is actually a good indication," he said.
This is the latest in the list of troubles that the popularity of the social media service had to face. Instagram has been gaining more users than Facebook, attracting the attention of data-harvesting campaigns as well as phishing networks.
Researchers recently spotted a sneaky phishing scam that uses a phony two-factor authentication request to trick email recipients into entering their Instagram login credentials. Another phishing campaign lured users with the coveted verified account status.
Instagram came under fire last month for its lax oversight, when it was reported that its advertising partner Hyp3r held a database of Instagrammer profiles, stitched together from the bits of data it used.
edgescan CEO and cofounder Eoin Keary told SC Media UK then that valuable user data will always trigger developments like these.
"People need to understand that if an app is free to use, the product is the user. The majority of social media apps and networks leverage individuals’ data as a commodity, that’s their business model, we should not forget that."
Patrick Hunter, EMEA sales engineering director at One Identity, called the Hyp3r situation a configuration issue.
"Lax security around access in one of the most commonly used backdoors to allow hackers in. In that case it was a trusted third party, but the net result is the same," he told SC Media UK.
Discovering such an easily exploitable vulnerability would indicate that something fundamental was wrong with Facebook's software security methodology, said Knudsen.
"A complex-to-exploit vulnerability is still cause for concern, and should influence Facebook's future bug hunting efforts, but hopefully it shows that simpler, more obvious bugs have been addressed already."