Facebook confirmed a new Instagram data-leaking bug that puts user data under risk. The vulnerability lets hackers access sensitive information such as account details and phone numbers.
The vulnerability in Instagram was discovered by an Israeli hacker with Twitter handle @ZHacker13. .
The vulnerability opens the gateway for threat actors to abuse the user data.
How Instagram Data Leaking Bug Exploited
So how does it work?
First, the attacker uses a simple algorithm to brute force Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
The form will return a yes/no—the number is valid or it isn’t.
A single instance of the algorithm can harvest more than 1,000 genuine Instagram numbers each day.
And there is no limit on the number of algorithms that can be run in parallel.
On average, @ZHacker13 expects 15,000 requests to return around 1,000 live numbers.
The second step is the process to find the account name, the process takes advantage of Instagram’s Sync Contacts feature.
The bot will set up a new account, once the new account setup Instagram will ask to sync contact details and this will retrieve a huge amount of account numbers and names. But if the contact list has a single number, then it will retrieve account details.
Instagram has limited syncing to three times per day per account.
That means each bot can return three users’ details each day.
Again, there is no limit to the number of bots that can be run—40 or more can operate continuously on a single machine.
“In theory,” @ZHacker13 told, “I can get all Instagram users’ details and phone numbers.”
In theory because the limiting factor is processing—enumerating phone numbers and then running enough bots to overcome the three syncs per day.
I ran two tests with @ZHacker13, giving him incomplete numbers that would have up to 1,000 potential numbers.
In each case, he returned the valid account details linked to the full phone number.
“With resource,” @ZHacker13 said, “I could build a large database of millions of Instagram users’ records.” He gave me stats as to how much processing he’d need to harvest millions of identities.
It was doable.
Vulnerability Reported
The vulnerability was reported to Facebook by @ZHacker13, but Facebook responded: “the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.”
Forbes contacted Facebook to raise the profile of the security researcher’s disclosure and now Facebook makes changes to protect the user contact details.
Recently an online database exposed 419 Million Facebook user accounts online from an unsecured server that includes a unique Facebook ID and the phone number listed with the account.
