A security flaw in Instagram’s Download Your Data, a tool released in April this year, reportedly could have exposed user passwords, but the bug has now been fixed, according to multiple news reports. Apparently, the issue was that as part of the Download Your Data process, a URL containing the user’s password would have been emailed to the user.
“While this may seem somewhat harmless (the user sees his/her own password), it is actually quite dangerous. E-mail is not a secure communication channel for transmitting passwords,” said Amit Sethi, senior principal consultant at Synopsys.
“Several e-mail servers might have had access to the passwords, they may have been transmitted in clear text in some cases, and they would have been stored on some email servers and on the users’ devices. Some users may have even accessed the URLs on public computers, which may have exposed their passwords to other users. Given that users often reuse passwords on multiple sites, the impact goes beyond just Instagram accounts.”
Because email was involved, Sethi said that manual security testing would be required to find this security issue. “This is yet another example that illustrates why we cannot rely solely on automated tools for testing applications.”
Infosecurity Magazine contacted Instagram, but as of the time of publication, the company had not responded. The Information reported that Instagram notified its users about a flaw that potentially left passwords publicly exposed. An Instagram spokesperson told The Information that the issue was discovered internally and only impacted “a small number of people.”
“Regardless of the number of individuals affected, this event raises major concerns about the way that Instagram is handling its users' data. In light of the fact that Facebook owns Instagram and has been experiencing a number of security debacles of its own, it should come as little surprise that Instagram is now exhibiting similar issues,” said Rich Campagna, CMO, Bitglass.
The need for comprehensive cybersecurity measures is widely known today; however, many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties. Unless organizations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”