Now the issue has been resolved and @ZHacker13 who confirmed the existence of this security issue also reported that it does not work anymore. The main problem rises from the Instagram’s contact importer, which upon attacked by a brute force on its login form can raise this vulnerability.
The attacker could have easily get access to the data in two ways:
- Attacker will use a simple algorithm to brute force the login form of Instagram form where they can check the phone number of any account linking it to a live Instagram account. This form will show a “yes/no” sign validating the existence of an Instagram account. With many bots, this algorithm can return a large data regarding Instagram live accounts.
- Secondly, attacker can make a bot account, from where Instagram will show “sync contact” option. Even though Instagram does not show more than three times per day per account but with the help of many bot accounts, this can get a large data of the users.
These two vulnerabilities can cause severe data leak through Instagram. Upon reporting this issue to the Facebook, @ZHacker13 was acknowledged that the team have already identified this bug in the system and are working on it.
Upon enlightening about the vulnerability issue to the Facebook, they responded that “enumeration vulnerabilities which demonstrate that a given e-mail address or mobile phone number is tied to an Instagram account” are “extremely low risk”. However, the vulnerabilities that can link an active Instagram account details to an email address or so can cause serious damage as well.
Since the bug was already identified by the team, the Facebook suggested that the researcher will not liable to the bounty scheme by Facebook. However, Facebook assured the researcher that he will get the reward for this discovery.
Until now, there is no reporting of the data being used, which shows that the discovery might have been made before anyone could bypass the protection shields of Instagram. However, this is not yet confirmed if the data has been misused or not.
If the data is being misused, it can cause serious damage to the users in terms of potential threats by attackers. Apart from this, the contact details of important people on the Instagram could be misused in this manner.
The attackers could have easily used these contact details and account number of users to cause much more damage but thanks to the researchers for identifying the issue on time. With this research, another reverse search can be conducted returning phone numbers for targeted accounts. In this way, the security issue can be addressed fully.
A Facebook spokesperson has informed Forbes, “We have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts”.
Facebook has recently been subjected to a big security issue and therefore, they should not take the privacy of their users lightly. The team has resolved this issue and @ZHacker13 has confirmed its truthfulness. Again, thanks to the researchers for saving the useful data of users being misused by attackers.