Instagram website source code exposed private information of thousands
A security researcher discovered a flaw in Instagram's website that left user contact information exposed for months, potentially allowing nefarious actors to create databases containing the phone numbers and email addresses of thousands.
David Stier, a data scientist and business consultant, earlier this year discovered an issue with Instagram's website in which source code for some user profiles contained private contact information not made available on public-facing pages, reports CNET.
Citing archived versions of Instagram profiles dating back to October 2018, Stier believes thousands of accounts were impacted by the flaw, including pages belonging to private individuals, minors and businesses. The researcher informed Instagram of the problem in February and the company issued a patch in March.
As noted by CNET, the exposure presented a prime opportunity to collect sensitive information from the photo sharing service. It is postulated that bad actors were able to create vast databases of user contact information simply by scraping Instagram's website source code during the four-month period in question.
One such list might already be in use. A report on Monday revealed an unsecured database maintained by Indian social media marketing firm Chtrbox leaked personal contact information tied to millions of Instagram influencer accounts, including users not affiliated with the company. An ensuing investigation found the database included 49 million records, a figure that continued to grow until the list was pulled from Amazon Web Services later that day.
Chtrbox in a statement said the information it gathered was not private, nor was it sourced unethically, according to Wednesday's report. Instagram's terms of use prohibit profile scraping, though Chtrbox has failed to detail how it obtained data not easily available to general users.
Instagram is investigating both Stier's report and the Chtrbox database.
"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources," Instagram owner Facebook said in a statement on Monday. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available."
A year prior to the source code snafu, Instagram was embroiled in a similar privacy kerfuffle when hackers exploited a bug in the service's developer API to glean phone numbers and email addresses attached to high-profile accounts.
David Stier, a data scientist and business consultant, earlier this year discovered an issue with Instagram's website in which source code for some user profiles contained private contact information not made available on public-facing pages, reports CNET.
Citing archived versions of Instagram profiles dating back to October 2018, Stier believes thousands of accounts were impacted by the flaw, including pages belonging to private individuals, minors and businesses. The researcher informed Instagram of the problem in February and the company issued a patch in March.
As noted by CNET, the exposure presented a prime opportunity to collect sensitive information from the photo sharing service. It is postulated that bad actors were able to create vast databases of user contact information simply by scraping Instagram's website source code during the four-month period in question.
One such list might already be in use. A report on Monday revealed an unsecured database maintained by Indian social media marketing firm Chtrbox leaked personal contact information tied to millions of Instagram influencer accounts, including users not affiliated with the company. An ensuing investigation found the database included 49 million records, a figure that continued to grow until the list was pulled from Amazon Web Services later that day.
Chtrbox in a statement said the information it gathered was not private, nor was it sourced unethically, according to Wednesday's report. Instagram's terms of use prohibit profile scraping, though Chtrbox has failed to detail how it obtained data not easily available to general users.
Instagram is investigating both Stier's report and the Chtrbox database.
"We're looking into the issue to understand if the data described - including email and phone numbers - was from Instagram or from other sources," Instagram owner Facebook said in a statement on Monday. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available."
A year prior to the source code snafu, Instagram was embroiled in a similar privacy kerfuffle when hackers exploited a bug in the service's developer API to glean phone numbers and email addresses attached to high-profile accounts.
Comments
I don't even use Instagram. I have long 20 digit random computer generated passwords for most things, different for each site. This requires a Password Manager. Turn on 2-Factor for as many sites as I can. Apple is very important for one, had someone trying to gain access into my account from China!!! Thank Goodness for 2 factor being ON!!! Then I changed my Apple password to a long random one also so it doesn't happen again. I have it on even for Amazon, though Amazon is annoying and the worst!!!
So long random passwords, use 2 factor everywhere, and give out as little info as possible. Really, stay away from Facebook if you can. I do end up missing things because I don't really use Facebook. If someone doesn't call me, I won't know about it. Still not worth using Facebook. Most all of this Social Media crap,..No thanks.
We don’t want to regulate anything, so... when exactly is laissez-faire capitalism going to fix this? The computer/tech industry is an embarrassment to any rationally-minded human being. Good thing for the industry that they’ve gotten geeks everywhere to inculcate “lusers” and “newbies” into believing that this is all normal.
I sure hope we see the rise of some good alternate social media platforms soon.
Agreed. They need to be hit with something substantial. So long as the negative consequences and any actual fines are pocket-change in comparison to the money they are rolling in, they'll just keep on keeping on. (And, great point about laissez-faire capitalism... it was never intended to be like that. The foundations where connected to a realistic understanding of human nature, but modern economics has become more a flawed-science than a social-science.)