Are you one of the 50 million users of Instagram, the photo-sharing service bought by Facebook in April for $1 billion? If so you need to look out for an Instagram update to fix a vulnerability that has just been published by Spanish security researcher Sebastián Guerrero. This vulnerability, which Guerrero has dubbed the "Friendship Vulnerability," allows people you don't know to add themselves as a friend to your Instagram account, with privileges that include viewing photos you thought were Private.
[Update: Approximately 4 hours after this post was published, Instagram placed a notice in its Help Center stating that the vulnerability, which they refer to as "Following Bug," has been fixed. They also state that "Never in the course of the bug existing was users' data at risk--and at no point were private photos made public." That appears to be at odds with what Mr. Guerrero has stated and so it is likely that he will have something to say about this. We will keep you updated.]
If you don't know Instagram, it is one of the most successful apps for mobile devices using Android or iOS (iPhones, iPads, and iPods). Instagram allows you to add fancy filters to photos you take to give them a retro or vintage style, then share them across multiple social networks. Signing up for Instagram from your mobile device is very easy, after which you can access the service via the Instagram website. As it says in the iTunes store: "50 million people love Instagram!"
But will they like it when they hear about this vulnerability in how Instagram handles their privacy? As described in Guerrero's Spanish blog (English translation here) the hole in Instagram's code is a pretty big one, for example, enabling a malicious person to enter the select group of people that some celebrity follows, access images a particular user has created, and also their personal information. This "Friendship Vulnerability" affects even private albums, potentially allowing a stranger to access them and see the pictures that are stored with a Private setting.
In his blog post, and its English translation now on pastebin, Sebastián Guerrero has described the details of how this vulnerability works. Basically, there is a lack of control over input, the kind of programming mistake that should not find its way into production, often indicative of a lack of adequate code review and pre-production testing. Guerrero also shows an example in which he adds himself to the people followed by Mark Zuckerberg and even sends the Facebook billionaire a message of congratulation on buying Instagram.
While we wait for this vulnerability to be solved, our best advice to all Instagram users is not to store any sensitive pictures using this app because, by exploiting this vulnerability, just about anryone could access your profile and see it.
For anyone who might be thinking of exploiting this vulnerability, we add a note of caution. A man from Jacksonville, Florida, has a date in federal court in Los Angeles in about 10 days time to be sentenced for unauthorized access to the personal email accounts of a handful of celebrities including singer Christina Aguilera and actress Scarlett Johansson, nude photographs of whom subsequently circulated online. The Jacksonville Times Union reports that 35 year-old Christopher Chaney "faces up to 60 years behind bars and a fine of about $2 million when he is sentenced July 23." Mr. Chaney won't be missing that date because he is already in federal custody awaiting sentencing.
Whether Facebook, the owner of Instagram, will face any sanctions for this vulnerability remains to be seen. One suspects that the Federal Trade Commission will take a look at the matter, given that Facebook is already subject to a 20 year FTC settlement over false claims about protecting the privacy of its users.
Josep Albors, ESET Spain
Stephen Cobb, ESET North America
