Sebastian Guerrero, an independent security researcher, found a flaw in the Instagram app. The said flaw allows an attacker to add themselves to a target’s Instagram account as “Friend” without the target’s knowing, which in turn gives attackers access not only to personal information that can readily by stolen but also to photos that are marked as Private.
In his personal security blog (written in Spanish), Guerrero pointed out that the flaw is due to a “lack of control on the logic applied to [the] authorization feature”. In normal-speak, this means that a programming mistake led to the mishandling of authorizing friend requests. Because of this, attackers can brute force their way into a target’s Instagram account without their permission. Guerrero aptly named the flaw as “Friendship Vulnerability“.
click to enlarge
What you see above is a screenshot of the proof-of-concept (PoC) by Guerrero to show that the vulnerability is real. From the shot, we can see that his test account, Novedades, has successfully added itself to Instagram accounts of famous personalities as Kim Kardashian.
Instagram, which was recently acquired by Facebook, is yet to comment about and provide a solution for the said vulnerability.
Leave a reply