Instagram Website Flaw Exposed Users' Phone Numbers and Email Addresses

Discussion in 'iOS Blog Discussion' started by MacRumors, May 23, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    A security researcher found a flaw in Instagram's website that caused thousands of users' email addresses and phone numbers to be exposed online for several weeks, it was revealed on Thursday.

    David Stier, a data scientist and business consultant, told CNET the website source code for some Instagram user profiles included the account holder's contact information whenever it loaded in a web browser.

    Although the contact information was available in Instagram's mobile app if users chose to reveal it in their profile, it was never displayed on the desktop version of the Instagram website, so it's unclear why the details were exposed.

    The leaked contacts are said to have come from thousands of accounts belonging to private individuals, including minors, as well businesses and brands. Stier alerted Instagram to the problem shortly after discovering it in February, and the photo-focused social platform issued a patch in March.

    According to Stier, including the details in the source code could have let hackers scrape the data from the website relatively easily and use it to compile a database listing the contact information of thousands of Instagram users.

    A similar data haul may have already occurred. On Monday it was revealed that a database containing contact information for millions of Instagram influencers, celebrities, and brand accounts had been leaked online.

    The records included public data pulled from Instagram, such as profile picture, biography, and follower numbers, but also private contact information like phone numbers and email addresses.

    The database was initially uploaded and shared by Mumbai-based social media marketing firm Chtrbox, a company that pays Instagram influencers to share sponsored content. Though uploaded by Chtrbox, the database included info from influencers who have never worked with the company.

    In a statement, Chtrbox said the information in its database wasn't private and that it didn't source the information through unethical means.

    Instagram parent company Facebook said on Monday that it was investigating the Chtrbox database. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available," said Facebook.

    A similar privacy befell the social media platform in August 2017, when a bug related to an Instagram API allowed hackers to breach multiple high-profile Instagram accounts belonging to celebrities.

    Article Link: Instagram Website Flaw Exposed Users' Phone Numbers and Email Addresses
     
  2. jsmith189 macrumors 65816

    jsmith189

    Joined:
    Jan 12, 2014
  3. Bustycat macrumors regular

    Bustycat

    Joined:
    Jan 21, 2015
    Location:
    Kaohsiung, Taiwan
    #3
    This is even not news for Facebook and its websites!
     
  4. itsmilo macrumors 68020

    itsmilo

    Joined:
    Sep 15, 2016
    Location:
    Europe
    #4
    I don’t get why the EU isn’t doing anything about Facebook or Instagram. Usually they r up on everyone’s a$$. I guess lobbying is a hell of a thing
     
  5. windywalks macrumors 6502

    Joined:
    Mar 12, 2004
    #5
    What the hell do they use as a security measure, a Trapper Keeper!?
     
  6. 0815 macrumors 68000

    0815

    Joined:
    Jul 9, 2010
    Location:
    here and there but not over there
    #6
    as usual not surprising ....

    By now everyone should know that those big cooperations care more about ad revenue and sale of personal data then about protecting the privacy of their user base - there is just no money in protecting the privacy and apparently users still stick with them - so no harm done in their view point.
     
  7. sshambles macrumors 6502a

    sshambles

    Joined:
    Oct 19, 2005
    Location:
    Australia
    #7
    Instagram: We’re sorry. We’ll try harder to protect your privacy.

    Everyone sane: *begins taking bets on how long until the next privacy issue is discovered*
     
  8. mistafro macrumors regular

    Joined:
    Aug 24, 2003
    #8
    This is obviously on purpose, there is no way this many obvious breaches happen over and over. Question is who is benefiting and using this data besides the Gov?
     
  9. LarryNyquil macrumors member

    LarryNyquil

    Joined:
    Sep 7, 2017
    Location:
    Ohio
    #9
    My guess is it's a coordinated effort to make Facebook etc. look bad. Judging by how easy this seems to be, though, I'm not going to complain; this is a travesty and deserves to be exposed.
     
  10. Classie macrumors regular

    Joined:
    Nov 3, 2018
    Location:
    Sweden
    #10
    How come they don’t get brought to court or hit with penalties? Even though the regular joe don’t understand the severeness, there has to be someone who cares; just as “they” went after Windows and Apple. Especially now when GDPR is in full force.
     
  11. scrapesleon macrumors 6502a

    scrapesleon

    Joined:
    Mar 30, 2017
    Location:
    Jamaica
    #11
    Not even surprised by what Zuckerberg and his team does
     
  12. macduke macrumors G4

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #12
    The last time we played this game I said something like two days, and it ended up being closer to two hours later. Now I don't play this game.
     
  13. ignatius345 macrumors 68020

    Joined:
    Aug 20, 2015
    #13
    Every time they ask for my phone number I'm like, yeah, not gonna do that....
     
  14. dontwalkhand macrumors 603

    dontwalkhand

    Joined:
    Jul 5, 2007
    Location:
    Phoenix, AZ
    #14
    No post-it notes taped to the wall.
     
  15. justperry macrumors G3

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #15
    Patience my friend, I bet they are on it.

    Same as above.
     
  16. EdT macrumors 68000

    EdT

    Joined:
    Mar 11, 2007
    Location:
    Omaha, NE
    #16
    Actually post it notes on a wall would be better as long as they don’t have a web cam pointed at them.
     
  17. fairuz macrumors 68020

    fairuz

    Joined:
    Aug 27, 2017
    Location:
    Silicon Valley
    #17
    There is a way. Security is hard, and FB isn't the best at it. It's funny that even the hackers in Mumbai got hacked.
     
  18. JetTester macrumors 6502

    Joined:
    Feb 12, 2014
    #18
    Facebook couldn't do something right if they tried really, really hard. But they won't try, so....
     
  19. EdT macrumors 68000

    EdT

    Joined:
    Mar 11, 2007
    Location:
    Omaha, NE
    #19
    If they actually provide security it costs money which takes away profits. If they don’t provide security then they spend a lot less money and people keep using them anyway.
     
  20. jtara, May 24, 2019
    Last edited: May 24, 2019

    jtara macrumors 68000

    Joined:
    Mar 23, 2009
    #20
    The article is a bit jumbled on details, so hard to understand exactly what is going on. By "web site source code", I assume they mean HTML. But could be buried in some Javascript or retrieved using Ajax and then inserted into the DOM. Probably in a hidden element, hidden input, in a data- attribute, etc.

    I am not at all surprised, though.

    I am one of a small handful of developers who still answer questions on the jQuery developer forums. jQuery is a popular but rapidly-fading Javascript library that was created primarily to "normalize" the differences between browsers so that devs don't have to code "if this browser, do this, if that browser do that...". Instead, jQuery provides it's own API and if you use their API then it deals with the differences between browser. Rapidly becoming a Thing That Is Not Needed.

    Anyhoo, I am shocked at the low level of competency on the part of the (almost always overseas) frontend devs for major Fortune 500 companies. Like, for example, the web site for a major U.S. cell phone provider that I shall not name. You'll have to cycle through the alphabet to guess, but you won't have to go very far. ;)

    So, first off, how do I know that they are working for major Fortune 500 companies? Because they've repeatedly failed to reduce their examples to the minimum needed to show the problem, and just post links to their development site - which is typically open to the Internet with no security. If somebody is willing to help them, they will have to dig through mountains of code - like 50 or more JS files being loaded, with redundant plugins left by the previous devs who were hired to do Just One Thing and then moved on to other jobs for other companies. They just keep adding layer after layer of crap. And another dozen tracking scripts, etc.

    Anyway, there's their logo, and say an order form for for service, or for the latest iPhone or whatnot, and they've posted a link to their example page and usually it's accessible without a password, though sometimes it needs one, which of course they post openly in an open forum.

    So, I COMMONLY see things like price calculators that are being relied-upon by the backend (they have inadvertently created their very own "name your own price tool"!), and it's not uncommon for the devs to not understand that Javascript running in a browser is NO MEASURE OF SECURITY. The only reason anyone should be doing any kind of price calculations or form validations in a web page is as a convenience to the user, to avoid a trip back and forth to the server. Where the validations MUST be done again, but often never are.

    It is very common to see posted PHP, C# code, etc. often with no understanding on the part of the dev that we can't help them with that - it's a jQuery forum, not a forum for some random server language. And, at the same time, no understanding that, say, the PHP code runs on the server, and the Javascript code runs in the browser. Chalk that up to the awful historical design of PHP where you can (you don't HAVE to, and this style is discouraged today) mix server and browser code in the same file. It's not uncommon for these devs to just not get it that the server is treating their file as a template, and generates HTML on the server to send to the browser, and the generated HTML (generated by the PHP code) is sent rather than the PHP.

    Since we often see PHP/C#/Cold Fusion/whatever code, that means we also see their (common) SQL injection vulnerabilities and other horrors of poor or no security in server code.

    I can see the described leakage easily happening because a dev made a query that returned columns that should never have been included in the page and/or the dev somehow thought there's no issue with including some extra data that "the user will never see". You know, because it is "hidden". Hidden, yes, to the casual user, but not to anybody who knows how to use the web inspection/debugging tools present in every desktop browser. Or to a scraper/crawler, which is not limited to seeing just the "visible" elements on a page.

    Somebody "might have made a copy". No, it is certain that somebody made a copy. There are certainly multiple copies of the data now in scrapers archives, and they probably do not even know what they have. A scraper is just a robot - it will scrape whatever it finds and squirrel it away. Probably later, an algorithm or a human will comb through it to see what might be "interesting".

    Front-end development practices, as done by many top companies, is just absolute crap. The companies piece it out to the cheapest bidder, and there is often no continuity. It gets handed off from one developer to another and again and again and again, and each adds their own layer of crap and leaves their own footprints to the mess.

    Beyond that, it is OBVIOUS that many of these devs are getting their information from 10-20 year-old books (which is why I now dispose of old development books rather than them them to a charity store), outdated blogs and tutorial sites, etc. Search engines and SEO have a surprising influence on this, BTW. Because sites that work their way to the top continue to stay there for many years after they have ceased to be useful. There are so many "frozen" dev tutorial sites that just have obsolete information but were once the top reference, and the search engines do a poor job of "expiring" their rankings.

    I have to admit, I often Google for answers. But I CHECK THE EXPIRATION DATE. Usually I will include a data constraint in my searches and then check any dates in the blog or tutorial, etc. to insure I am getting fresh results, and not some 10-year-old advice. You don't know how many of these devs I have to point toward MDN, CSS-Tricks, jQuery Learning Center (on the VERY SAME SITE they are posting on...) and they had no clue that these sites existed and are the best references on the development they are doing.

    What this researcher uncovered is just the tip of the iceberg. It is not an anomaly. It is endemic.

    Edit: It's probably not fair to place the blame on front-end developers. Much of it can be blamed on the scourge known as "full-stack development". This is the fantasy that one person can do it all - front end, back end, database, security, etc. So, you have devs that know a little bit of that, a little bit of that, much of it outdated. As well as the fantasy that developers are fungible - you can just pass off bits and pieces of functionality to whatever random dev is available or can be hired the cheapest from an online virtual sweat-shop to implement a feature and you will somehow magically wind-up with something coherent.

    And that, my friends is how sausage.... er, many of the highest profile websites - are too often made.
     
  21. JetTester macrumors 6502

    Joined:
    Feb 12, 2014
    #21
    Gee, I didn't think the opportunity would come around again so fast, but....Facebook is evil, Zuckerberg is evil. Stuck record!
     
  22. mannyvel macrumors member

    Joined:
    Mar 16, 2019
    Location:
    Hillsboro, OR
    #22
    Someone decided to just send all the data and let the front end filter it out. That sounds like a decision made a long time ago, because nobody at the time had time to figure out the filter criteria/requirements on the back end.

    With that nugget of information, finding more holes like that should be easier. I'll bet you can fuzz their access control and get the data out...because as someone else put it, you should never trust data coming from the front end, period.
     
  23. Regbial macrumors 6502

    Regbial

    Joined:
    Jul 10, 2010
    #23
    But... Butt... We'll need your number for greater security please. No really. PLEASE BELIEVE US.
     

Share This Page

22 May 23, 2019