This article originally appeared in Information Security Buzz on September 13, 2019.
Instagram’s parent company Facebook has confirmed that a newly discovered security vulnerability may have put data at risk, leaving users open to attack by threat actors. A security researcher ran tests on the platform and he successfully retrieved “secure” user data. This data included users’ real names, Instagram account numbers and handles, and full phone numbers. The linking of this data is all an attacker would need to target those users. Facebook has since made changes to Instagram to protect its users.
EXPERTS COMMENTS
Jake Moore, Cybersecurity Specialist, ESET
September 24, 2019
Authenticator apps are increasing in popularity, as people move across to this more secure protection feature.
Luckily, this threat would be extremely difficult to carry out on mass. Theoretically, this leak does have consequences as it connects private data to accounts. Providing a phone number to associate with an account will soon become old fashioned as we start using authenticator apps for verification. In the meantime, it is seen as the go-to method of two-factor authentication.
Authenticator apps are increasing in popularity, as people move across to this more secure protection feature. There is still some time to go before these apps become the most common method to verify an account.
Brandon Chen, Digital Security and Operations Manager, The Media Trust
September 16, 2019
Avoiding these attacks requires a layered approach that includes continually monitoring these web assets for unauthorized actors and activities.
Vulnerabilities in contact importers can open a website or web application to variety of attacks like brute force, SQL injection, and those involving compromised third-parties, to name a few. Unfortunately, these attacks are not uncommon. If the site or app has a field where users can log into their account, and developers are not enforcing parameters for queries and input for that field, bad actors can enter and execute malicious SQL statements that give them access to the database server behind the web application. If a third-party code provider is known to have visibility of or access to the information of its clients’ users, that provider would be a prime target for hackers. Avoiding these attacks requires a layered approach that includes continually monitoring these web assets for unauthorized actors and activities, having white hat hackers test the assets’ security defenses, and setting down rules to strengthen users’ passwords.
Anurag Kahol, CTO , Bitglass
September 13, 2019
Companies cannot rely on others to find their security issues and instead must take a more proactive approach.
There is an important distinction between what a user chooses to make public, such as a unique handle or username, and the personally identifiable information (PII) that they use to create accounts. When individuals make user profiles for any given service, they trust that their PII will be kept secure. While Instagram exposed users’ passwords a little less than a year ago, it appears that the company did not sufficiently learn its lesson. Instagram is now reported as having left names, account numbers, and phone numbers exposed, as well.
While there are no signs that credentials were leaked or data was stolen by hackers, users could have had their accounts and information exposed if a researcher hadn’t found the issue and intervened. Companies cannot rely on others to find their security issues and instead must take a more proactive approach to defending user data. Organizations that have complete visibility and control over their data are in a better position to identify and remediate vulnerabilities that could be exploited by malicious actors. The days of reactive security have passed – real-time protections are now absolutely critical.
Jonathan Knudsen, Senior Security Strategist , Synopsys
September 13, 2019
A finding of an easily exploitable vulnerability would indicate that something fundamental was wrong with Facebook’s software security methodology.
Software security is an organisational skill, and no matter how good you are, there’s always room for improvement. The fact that the reported vulnerability in Instagram is “complex” to exploit is actually a good indication. A finding of an easily exploitable vulnerability would indicate that something fundamental was wrong with Facebook’s software security methodology. A complex-to-exploit vulnerability is still cause for concern, and should influence Facebook’s future bug hunting efforts, but hopefully it shows that simpler, more obvious bugs have been addressed already.
Chris DeRamus , Co-founder & CTO, DivvyCloud
September 13, 2019
Left unpatched, this security vulnerability could have resulted in a devastating data leak consisting of phone numbers and account numbers.
As Instagram is the third most popular social media network with more than one billion active users on the platform each month, the social media giant is entrusted with a massive trove of user data. Left unpatched, this security vulnerability could have resulted in a devastating data leak consisting of phone numbers and account numbers that directly link to the usernames and real names of the account holders. With this, a malicious hacker could build a massive and attackable database of Instagram users’ records.
Security vulnerabilities such as this are often due to a misconfiguration. Organizations must do a better job at being proactive in ensuring their data is protected with automated security controls. Even companies with seemingly endless resources struggle with identifying and remediating misconfigurations and other vulnerabilities in real time. This risk is even greater when using cloud service providers, and organizations cannot wait to invest in security solutions that can detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time to better safeguard sensitive data and maintain trust among users and customers.
