An independent information security specialist under the nickname ZHacker13 discovered an Instagram social network vulnerability that threat privacy and allowed its users automatically collect data.
Representatives of the service for several weeks could not eliminate the threat and began actively work on a solution only after contacting Forbes journalist.
According to the researcher, his technique was built on bugs of services of authorization and import of contacts on Instagram. With its help, it was possible to collect real user names, data of their accounts, full phone numbers from disparate sources into a single database.
“At the first stage, the attacker needed to find the phone numbers to which real accounts are tied. To do this, he could put down various combinations of numbers in the Instagram authorization form – according to the results of the request on this page, you can understand whether there is one or another number in the service’s databases ”, – told Forbes information security experts.
The process could be easily automated by collecting more than 1,000 current phone numbers daily. Experts also clarify that when using bots running in parallel, this figure could increase almost to infinity.
Having lists of numbers on hand, an attacker could associate them with the corresponding accounts through the contact importing system.
“Instagram offers each new user to synchronize contacts to find friends who are already registered on the social network. If the service refers to this contact list, it is impossible to determine by the proposed list which number is associated with a particular account”, — ZHacker13 explained.
Instagram developers allow each user to send no more than three requests for account synchronization daily. The use of many bots allowed to bypass this limit, after which the only thing that limited the appetite of attackers was the available computing power. According to the calculations of ZHacker13, his method allowed collecting information from millions of users in an acceptable time frame and without significant costs.
In early August, the expert announced his finding to Facebook, which owns Instagram.
Facebook engineers said that they did not consider the opportunity to clarify whether a particular phone or email address was tied to any account. At the same time, the developers recognized that if the vulnerability allows finding out the contacts of a specific user, then it can be dangerous.
However, Facebook denied ZHacker13 in a reward as part of a bug search program. The company said that its own specialists had previously discovered the problem and are already working on a solution to it. When, after several weeks, the vulnerability remained relevant, the expert demonstrated its operability to Forbes columnist.
After receiving a request from a journalist, Facebook staff reviewed their position on the payment of remuneration and asked to postpone the publication until the developers correct the error.
In Forbes pointed out that this incident indicates more serious risks than the vulnerability of a separate web service. In the future, can be expected new cyberattacks using custom phone numbers, as they are increasingly being used for authorization in applications and services.