Security researcher Christian Lopez discovered a bug in the wildly popular photo sharing app Instagram, which is now owned by Facebook which would have allowed a hacker to secretly switch the privacy settings of an Instagram user from private to public.
The bug has been fixed by Instagram on February 4th this year but the loophole remained open for at least six month which Lopez has attributed to slow and confused steps by the security team at Facebook to patch the security vulnerability.
Lopez has said that Facebook paid him four figure reward under its “bug bounty” program which rearwards security researchers who report significant security flaws in a software. However, he has said that he was amazed that it took Facebook team six months to patch this which was ‘more than expected’ in his view.
The Instagram hack relied on a commonly available hacking technique called cross-site scripting which would allow a user to forge the cookies of a site with those of another one.
The exploit was equally effective for both Android and iOS apps of Instagram. Lopez said that “You click the link in your browser, and your profile will be set to public.”
Facebook has responded to Forbes on the issue with this statement:
We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our parent company Facebook’s White Hat Program. We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it. Due to the responsible reporting of this issue to us, we do not have evidence of account compromise using this bug.
Since the whole exploit depended on the unsuspecting Instagram user clicking on a link sent via email, this is a reminder to not wildly click on every link you come across. This will keep your accounts and privacy safe.