@ZHacker13 discovered a flaw in Instagram that exposed the user account information, allowing an attacker to access user phone number and real name
Instagram had a flaw that allowed an attacker to access account information, including user phone number and real name. It has been discovered by the cyber security researcher @ZHacker13. According to Security Affairs, ZHacker13 found the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue, before fixing it. “In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”
The cyber security expert: Attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details
The cyber security expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details. Just a week before ZHacker13 disclosed the Instagram bug, phone numbers associated with 419 million accounts of the social network giant were exposed online. It is not clear if the two incidents could have the same root cause. “I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about pathing it.” Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.”
Facebook addressed the flaw and is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program
The cyber security expert explained that he discovered the flaw by using the platform’s contact importer in combo with a brute-force attack on its login form. The attack scenarios is composed of two steps: The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account. Then, he finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature. Facebook explained that his company modified the contact importer in Instagram to address the flaw. “we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.” said a spokesman. Moreover the company is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.