Instagram website source code exposed private information of thousands

Posted:
in General Discussion edited May 2019
A security researcher discovered a flaw in Instagram's website that left user contact information exposed for months, potentially allowing nefarious actors to create databases containing the phone numbers and email addresses of thousands.

Instagram


David Stier, a data scientist and business consultant, earlier this year discovered an issue with Instagram's website in which source code for some user profiles contained private contact information not made available on public-facing pages, reports CNET.

Citing archived versions of Instagram profiles dating back to October 2018, Stier believes thousands of accounts were impacted by the flaw, including pages belonging to private individuals, minors and businesses. The researcher informed Instagram of the problem in February and the company issued a patch in March.

As noted by CNET, the exposure presented a prime opportunity to collect sensitive information from the photo sharing service. It is postulated that bad actors were able to create vast databases of user contact information simply by scraping Instagram's website source code during the four-month period in question.

One such list might already be in use. A report on Monday revealed an unsecured database maintained by Indian social media marketing firm Chtrbox leaked personal contact information tied to millions of Instagram influencer accounts, including users not affiliated with the company. An ensuing investigation found the database included 49 million records, a figure that continued to grow until the list was pulled from Amazon Web Services later that day.

Chtrbox in a statement said the information it gathered was not private, nor was it sourced unethically, according to Wednesday's report. Instagram's terms of use prohibit profile scraping, though Chtrbox has failed to detail how it obtained data not easily available to general users.

Instagram is investigating both Stier's report and the Chtrbox database.

"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources," Instagram owner Facebook said in a statement on Monday. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available."

A year prior to the source code snafu, Instagram was embroiled in a similar privacy kerfuffle when hackers exploited a bug in the service's developer API to glean phone numbers and email addresses attached to high-profile accounts.

Comments

  • Reply 1 of 11
    wonkothesanewonkothesane Posts: 1,717member
    Next one. Ding. Ding. 
    racerhomie3jbdragondysamoriawatto_cobra
  • Reply 2 of 11
    pulseimagespulseimages Posts: 595member
    I hate that Facebook owns Instagram. 
    CarnagejbdragondysamoriacgWerkswatto_cobra
  • Reply 3 of 11
    apple ][apple ][ Posts: 9,233member
    This is like what, the third hilarious security snafu from FB in the span of a week? :#








    olscaladanianpulseimagesdysamoriawatto_cobra
  • Reply 4 of 11
    SpamSandwichSpamSandwich Posts: 33,407member
    LOL
    olswatto_cobra
  • Reply 5 of 11
    longpathlongpath Posts: 393member
    It would be nice if they offered a way for people to determine if they are impacted or not.
    caladanianpulseimagesdysamoriawatto_cobra
  • Reply 6 of 11
    cornchipcornchip Posts: 1,945member
    shocker.
    pulseimagesdysamoriawatto_cobra
  • Reply 7 of 11
    jbdragonjbdragon Posts: 2,305member
    More Facebook privacy issues!!! I limit my Facebook to about 5 minutes once a month on my Desktop at most. I don't have it on my iPhone. I have a very limit amount of Data even listed.

    I don't even use Instagram. I have long 20 digit random computer generated passwords for most things, different for each site. This requires a Password Manager. Turn on 2-Factor for as many sites as I can. Apple is very important for one, had someone trying to gain access into my account from China!!! Thank Goodness for 2 factor being ON!!! Then I changed my Apple password to a long random one also so it doesn't happen again. I have it on even for Amazon, though Amazon is annoying and the worst!!!

    So long random passwords, use 2 factor everywhere, and give out as little info as possible. Really, stay away from Facebook if you can. I do end up missing things because I don't really use Facebook. If someone doesn't call me, I won't know about it. Still not worth using Facebook. Most all of this Social Media crap,..No thanks.
    edited May 2019 cornchippulseimageswatto_cobra
  • Reply 8 of 11
    cornchipcornchip Posts: 1,945member
    guys. let's not freak out; it's only thousands. /s
    DanManTXdysamoriawatto_cobra
  • Reply 9 of 11
    dysamoriadysamoria Posts: 3,430member
    And where are the consequences?

    We don’t want to regulate anything, so... when exactly is laissez-faire capitalism going to fix this? The computer/tech industry is an embarrassment to any rationally-minded human being. Good thing for the industry that they’ve gotten geeks everywhere to inculcate “lusers” and “newbies” into believing that this is all normal.
  • Reply 10 of 11
    cgWerkscgWerks Posts: 2,952member
    I hate that Facebook owns Instagram. 
    Does anyone know how connected they are? Like, does FB just own them (but they operate kind of separately, different team, etc.) or did FB pull it all into one?

    I sure hope we see the rise of some good alternate social media platforms soon.
    watto_cobra
  • Reply 11 of 11
    cgWerkscgWerks Posts: 2,952member

    dysamoria said:
    And where are the consequences?

    We don’t want to regulate anything, so... when exactly is laissez-faire capitalism going to fix this? The computer/tech industry is an embarrassment to any rationally-minded human being. Good thing for the industry that they’ve gotten geeks everywhere to inculcate “lusers” and “newbies” into believing that this is all normal.
    Agreed. They need to be hit with something substantial. So long as the negative consequences and any actual fines are pocket-change in comparison to the money they are rolling in, they'll just keep on keeping on. (And, great point about laissez-faire capitalism... it was never intended to be like that. The foundations where connected to a realistic understanding of human nature, but modern economics has become more a flawed-science than a social-science.)
    watto_cobra
Sign In or Register to comment.