20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity

1 of 4

E-THREATS

You Are Here: Home

INDUSTRY NEWS

Industry News

MALWARECITY

MOBILE & GADGETS

TIPS AND TRICKS

20 million Instagram accounts were put at risk through sloppy security hole

Search here ...

No Banner to display

20 million Instagram accounts were put at risk

through sloppy security hole
By: Graham Cluley |

comment : 0 |

May 24, 2016 | Posted in: Industry News

Be the first of your friends to like this

A bug bounty of US $5,000 has been awarded to a Belgian vulnerability researcher who uncovered two methods by
which malicious hackers could brute force their way into Instagram accounts.

Adware

Android

Antivirus

Apple

Bitdefender

Anonymous
Attack

Breach

Cyber-attack

Backdoor

China

Data Breach

DDoS

Arne Swinnen says that he discovered two distinct vulnerabilities which could when combined with the sites weak
password policies, and a lack of two-factor authentication and other mitigating security controls have allowed an

Exploit

Facebook

Facebook Scams

attacker to break into accounts, including those belonging to high profile celebrities.
Fbi

If high profile accounts had been hacked, they could have been exploited to send spam messages and malicious

Fraud

Hacker

Google

Hackers

Hack

Hacking

links to millions of followers, and potentially opened opportunities for embarrassing initimate photo leaks like those
seen during 2014s notorious Celebgate.

Malware

Microsoft

Password

Omelette

Phishing

Privacy

Scam

Scams

The first flaw existed in Instagrams Android app, which correctly blocked incorrect password guesses after 1000
attempts from the same IP address but then (bizarrely) allowed them on every other attempt after the 2000th.

Swinnen described in a blog post how he was able to create a quick-and-dirty Python script which could launch a
brute force attack of 10000 popular passwords against an Instagram test account:

This allowed a reliable brute-force attack, since an attacker could reason on the
reliable response messages and simply replay the unreliable ones until a reliable
answer was received. The only limitation of this attack was that on average, 2
authentication requests had to be made for one reliable password guess attempt.

Swinnen noted that the site also failed to identify that the same IP address was being used in the repeated attempts
to crack the password, missing opportunities to alert that an account might be being attacked or lock it as a
precautionary measure.

Ransomware
Security

Slider

Software
Uk
Windows

Spam
Us

Virus
Worm

Social Media
Trojan

Twitter

Vulnerability

20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity

2 of 4

Additionally, the researcher uncovered a security problem with Instagrams website specifically how it related to
user registration.

Again, Instagram did not have sufficient protection mechanisms in place such as rate-limiting or account lockout
E-THREATS
20 million Instagram accounts were
Bitdefender
Products
force attacks
from succeeding.
ALERTS
put
at
risk
through
sloppy
security
hole
Ready to Embrace
SOCIAL NETWORKS
Windows 10
reported to have started rolling
out two-step European
verificationSecurity
to better protect accounts from hackers in
HotForSecurity,
INDUSTRY NEWS
July 08, 2015
is thought that the system has
not yet
gone 2016
worldwide.
it would certainly help
Blogger
Awards
finalist!Thats a shame, as
MALWARECITY
more difficult for account hackers.
Windows 8 Stores Logon
BITDEFENDER TECHNOLOGY
Who can hack the most popular smart
Passwords in Plain Text
VIDEOS
devices? Bitdefenders IoT Village
October
2012
run12,
Instagram,
has responded to Swinnens vulnerability reports by strengthening
BOTNETSrate-limiting on
hosted in Techsylvania is ready to roll
CONTEST
1800+ Minecraft
Easy Tips to Dodge E-banking Fraud
HACKING
usernames and passwords
stagrams password policy has been slightly hardened, and particularlyHOW
dumb,
TO.
easy-to-predict
leak online
Malicious Proxy Redirects SSL Google
123456 and password outlawed.
MALWARE HISTORY
January 19, 2015
Traffic for 1 Million IPs
MISCELLANEOUS
PHISHING
ALERT
Scammers
This isnt the
first time Impersonate
that Swinnen has uncovered serious security holes in Facebook-owned
Instagram.
Bank Exec on LinkedIn to

Q&A FROM THE LABS

Target Corporate Bank

SOCIAL NETWORKS
In March, for instance, Facebook patched a serious vulnerability in Instagram which could have allowed malicious
Accounts
SPAM
attackers to seize control of up to 20 million locked accounts.
May 08, 2013
SPAM REVIEW
UNCATEGORIZED
Swinnen uncovered that exploitation of the security flaw, combined with weak password policies being used by
VIRUSES DESCRIPTIONS
Instagram, could potentially allow attackers to hijack four percent of the photo-sharing sites 500 million accounts.
VULNERABILITIES
WEEKLY REVIEW
Swinnen was awarded US $5,000 for his discovery which was disclosed responsibly to Facebook
of its bug
MOBILEas
& part
GADGETS
bounty program.
TIPS AND TRICKS

Swinnens stumbled across the vulnerabilities after he has received a verification request from Instagram when

2012 Powered By Bitdefender

The researcher discovered that the verification link contained an incremental numeric user ID in its URL
something with which seasoned vulnerability researchers find it hard to resist meddling.

As Swinnen changed the numeric user ID in the URL using a simple script, he was sometimes greeted with
verification pages that did not offer to send a verification code to the users email address, but occasionally asked
for another interaction from the user.

Swinnen enumerated the user ID with interesting results sometimes exposing a security vulnerability.

In 0.17% of cases during his testing, Swinnen was asked to update the email addresses of temporarily locked

20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity

3 of 4

accounts.

Once an account was given a new email address, a password reset could then be performed giving an unauthorised
party complete access to the account.

In 3.88% of cases, the verification page would request that a phone number be entered to which Instagram would
send a security code. Again, opening clear opportunities for hackers to commandeer accounts. Worse still, the form
also broke privacy by displaying account owners current mobile phone number.

This case was the most troublesome, as an attacker could on one hand gather
sensitive user information (pre-filled phone number in some cases), and on the other
hand simply update the phone number linked to the victim Instagram account.

After successfully linking a new phone number, an attacker could perform the reset
password via SMS scenario and gain complete access to the account. Big security
impact, and almost 4% of all accounts affected in the one million range. A quick
manual verification also learned that these were mostly human accounts which had
been inactive for a couple of weeks, of which many had a good amount of followers on
Instagram.

With so much success finding flaws in Instagram, you have to wonder when the photo-sharing social network will
offer Swinnen a full-time job.

Tweet

8
Like

42
Share

submit
StumbleUpon
Submit

Previous

About The Author

Graham Cluley
Security analyst
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has
been working in the computer security industry since the early 1990s, having been employed
by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about
computer security for some of the world's largest companies, worked with law enforcement
agencies on investigations into hacking groups, and regularly appears on TV and radio
explaining computer security threats. Graham Cluley was inducted into the InfoSecurity
Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons

20 million Instagram accounts were put at risk through sloppy security hole HOTforSecurity

4 of 4

in IT History" for his contribution as a leading authority in internet security.

Number of Entries : 182

Related posts

HotForSecurity,

Who can hack the most

Malicious Proxy

Two-thirds of enterprises

European Security

popular smart devices?

Redirects SSL Google

in the UK were breached

Blogger Awards 2016

Bitdefenders IoT Village

Traffic for 1 Million IPs

in the past 12 months,

finalist!

hosted in Techsylvania

causing damages of up

is ready to roll

to 3m

Leave a Comment
Name*

Email*

Website