A security flaw that allowed an attacker to access account information, such as a user's full phone number and real name of Instagram users was found. Facebook, who previously confirmed the existence of the vulnerability, has already fixed the flaw.
The discovery of this bug occurred in August and is the work of the researcher @ZHacker13. According to the social network itself, the exploitation of the bug could have allowed a malicious actor to associate phone numbers with user details and make abusive use of this information, which posed a risk to users. The only thing an attacker could have needed to affect a user would have been to link this data.
Coincidentally, in early September, a misconfigured database was discovered, containing a list of phone numbers and user names made up of 419 million Facebook users from around the world. And about a week ago, researcher ZHacker13 explained to Forbes journalist Zak Doffman that he had detected a vulnerability in Instagram that would evade the platform's security mechanisms. It would furthermore allow access to a database type similar to the one known recently, which would enable a malicious actor to abuse this information consisting of a long list of phone numbers, user IDs, usernames and real names.
The researcher explained to the media that an attacker could take advantage of this security breach and evade the mechanisms that protect this data by using an army of bots and processors to create an accessible and attackable users’ database.
The problem was with the platform's contact importer, which when combined with a brute-force attack on its login form exposed the existence of the vulnerability, the article explains. According to a Facebook spokesman, the company modified the contact importer in Instagram to prevent any abuse of the bug.
To understand the magnitude of the finding, the investigator shared with the journalist details of how the vulnerability could be exploited and assured that with sufficient processing power it would be possible to create a database composed of telephone numbers and data from millions of Instagram users.
In turn, the journalist shared the information with ESET investigator Lukas Stefanko, who validated the explanation and confirmed that it was possible.
Initially, Facebook told the investigator that while the vulnerability was serious, the company was already aware of the bug and would not be rewarded for its bugbounty program. The social network however reversed its steps and reconsidered its decision and will eventually reward @ZHacker13 for reporting the bug.