Private photos exposed in Instagram hack

February 11, 2014 – 4:34 AM

Private profiles of Instagram users could be made public as a result of a vulnerability that took almost six months to fix.

The flaw would have enabled hackers to change privacy settings within user profiles to expose potentially sensitive photos to the internet, or to lock down popular pages by marking them as private.

The attack was launched by a malicious phishing link that exploited a Cross Site Request Forgery (CSRF) flaw, a common vulnerability described as “the worst kind of vulnerability [because they are] very easy to exploit by attackers, yet not so intuitively easy to understand for software developers”.

The flaws occur when websites fail to check that sensitive actions – like changing Instagram privacy settings – were actually sent from the authenticated user; instead, most websites just check that the action came from the user’s browser.

The approach is risky because browsers can run code from multiple sites, opening the possibility that an action could have been quietly made from a second website and not the user.

Such a case occured with Instagram’s mobile app version, white hat hacker Christian Lopez Martin found. “A successful CSRF exploitation could compromise end user data (photos and personal information) by making public [their] Instagram profile,” Martin said in a blog.

“It is important to mention that the vulnerability was completely effective in a real scenario [because] Instagram didn’t implement either CSRF security tokens or the checks that detect if the user-agent came from the mobile app.”


You must be logged in to post a comment.