A recently uncovered bug in the hugely popular Instagram app has led to accounts being compromised. On Friday, Instagram’s CTO Mike Krieger issued a statement assuring that it was only a “low percentage” of users that had been affected. This came just days after it was discovered that Selena Gomez, actress and singer, had been the victim of a hack.
This low percentage might not be the case any longer. An unknown hacker is now claiming responsibility for the attack, alleging the figure could be close to six million affected accounts.
Reported by Ars Technica:
“He learned of the vulnerability in an IRC discussion. He also said he’s sure other people have independently exploited the bug but doubts most were able to make their attacks scaled the way his did. About 12 hours after his mass exploit started, he said, Instagram plugged the underlying security hole. He said that it was possible to steal data at roughly 1 million accounts per hour, which is much faster than first thought. At that rate, it would have taken almost two weeks to download the 700 million-user records, and longer to obtain the entire database. “
It's been discovered on an underground forum that personal details are now being sold on ‘DoxAgram’. The site allows anyone to search for stolen information for $10 per account.
Instagram has yet to confirm the hackers claims of a possible six million account compromise. However, they are currently investigating the breach and so we're likely to learn more from them in the coming days. If the information is legitimate, then Instagram’s reputation will be in the firing line.
Kaspersky Lab first noticed the bug and notified Instagram on Tuesday, 29 August. Their researchers have now provided the technical details of how the hacker was able to harvest the data in the first place.
The researchers discovered that the vulnerability exists in outdated versions of the app (version 8.5.1, current version is 12.0.0). Using the outdated application, the attacker resets their password and captures the request using a web proxy.
They then select a victim and send a request to Instagram’s server carrying the targets unique identifier or username. The server returns a JSON response with the victim’s personal information including sensitive data such as email and phone number.
Kaspersky has advised users running old versions of the app to update it immediately to the latest version.
For more information on celebrity leaks and some tips to keep your accounts secure, check out our blog post 'How safe are your selfies?'
A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram's mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users in the JSON response—but not passwords.