Security researcher Sebastián Guerrero recently uncovered a flaw in Instagram, affecting both the Android and iPhone apps, that enables anyone to add themselves as a “friend” to any user’s Instagram account and view that user’s private photos and profile information.
“In his personal security blog (written in Spanish), Guerrero pointed out that the flaw is due to a ‘lack of control on the logic applied to [the] authorization feature,'” writes GFI Labs’ Jovi Umawing. “In normal-speak, this means that a programming mistake led to the mishandling of authorizing friend requests. Because of this, attackers can brute force their way into a target’s Instagram account without their permission. Guerrero aptly named the flaw as ‘Friendship Vulnerability.'”
“The security researcher illustrated the vulnerability by adding himself to the select group of people followed by Facebook head honcho Mark Zuckerberg,” writes The Register’s John Leyden. “Guerrero then sent the social networking mogul a message congratulating him on buying Instagram and asking for some sort of reward under Facebook’s bug bounty program.”
Instagram soon announced that the bug had been fixed — and directly contradicted Guerrero’s description of the vulnerability, stating, “The technical researcher was not able to follow private users, nor were private users’ data ever at risk.”