If the events of the past few years have taught us anything, it’s that nothing is safe if it involves the Internet. “Private” is just a word these days, as malicious hackers get more and more creative with their efforts to crack service providers’ security. In the latest example, Forbes staff writer and well-known cybersecurity reporter Andy Greenberg reveals a huge security hole in Instagram that had been present in the app for at least six months before the Facebook-owned team finally fixed the issue last week.
Last August, security researcher Christian Lopez discovered a huge flaw in Instagram’s mobile apps. Using a common hacking technique called cross-site request forgery, the bug allowed Lopez or any other hacker aware of the flaw to covertly switch a user’s profile settings from private to public. A malicious hacker could then quickly download all of the user’s photos and switch the profile back to private before anyone noticed.
Lopez contacted Facebook’s security team back in August to report the bug, and he was given a “four-figure” reward as part of Facebook’s “bug bounty” program. According to the researcher, however, Facebook stumbled numerous times while attempting to fix the hole and private users remained at risk for nearly six months until the bug was finally addressed properly.
While we won’t know for sure unless reports of private photos start popping up in public, Facebook says it isn’t aware of any accounts being compromised.
“We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our parent company Facebook’s White Hat Program,” Facebook told Forbes in a statement. “We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it. Due to the responsible reporting of this issue to us, we do not have evidence of account compromise using this bug.”
