Personal details of thousands of Instagram users have been compromised by a social media booting service called Social Captain. This social media booting service basically helps users grow their Instagram follower counts, has leaked thousands of Instagram usernames and passwords for potential hackers.
According to a TechCrunch report, Social Captain stored passwords of linked Instagram accounts in unencrypted plaintext. This vulnerability allowed anyone accesses to any Social Captain user’s profile without having to log in and access their Instagram login credentials.
“A security researcher, who asked not to be named, alerted TechCrunch to the vulnerability and provided a spreadsheet of about 10,000 scraped user accounts,” said the report.
Previously, any user viewing the web page source code on their Social Captain profile page could see their Instagram user name and password easily as long as they were connected to the platform. And now, this new bug made things worse for the Social Captain that allows anyone to access any Social Captain profile without logging in. Injecting the user’s unique account ID into Social Captain’s web address would grant you access to that Social Captain account and the Instagram credentials.
Because user account IDs were “for the most part sequential, it was possible to access any user’s account and view their Instagram password and other account information with relative ease”, reported TechCrunch.
Social Captain said later it had fixed the vulnerability by preventing direct access to other users’ profiles. Instagram said the service breached its terms of service by improperly storing login credentials.
“We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don’t know or trust,” an Instagram spokesperson was quoted as saying.
According to Adam Brown, Manager, Security Solutions, at Synopsys Software Integrity Group, design flaws are the cause of approximately 50 per cent of all software vulnerabilities.
“They are seldom detected without performing a design review as this activity requires select expertise. That said, in this case, a penetration test should have easily identified this flaw,” Brown told IANS.
“This is especially bad for affected users not just because their Instagram passwords are now breached, but also due to the fact that people commonly reuse passwords which could lead to unauthorised access of additional accounts by extension,” he elaborated.
In 2017, a bug in Instagram led to the leak of personal details of more than 6 million celebrity users, including Taylor Swift and Kim Kardashian. The stolen information was later gathered into a database and reportedly sold for $10 per record via Bitcoins.
For the latest tech news and updates, Install TechCodex App and follow us on Facebook and Twitter. Also, if you like our efforts, consider sharing this story with your friends, this will encourage us to bring more exciting updates for you.