Instagram Leak From API Spills High Profile User Info

Another high profile Instagram leak, this time no there’s actual tangible repercussions other than it could possibly link to the recent Justin Bieber nudes leaked via a compromise of Selena Gomez’s account.

Instagram Leak From API Spills High Profile User Info

There isn’t a whole lot of details about what actually happened, in terms of what went wrong with the API? A wild guess would be some kind of authentication or token bug in the API that allowed you to access certain information about other users that you weren’t supposed to be able to get access to.

Instagram is blaming a bug in its API for the partial breach of verified users’ accounts.

All verified users have been notified that some of their profile data – email address and phone number – could have been viewed by one or more attackers.

The Facebook-owned organisation isn’t explaining any details of the API flaw, which it says has been patched. It’s not clear, for example, whether the API only leaked verified members’ details, or that attackers only dug into verified accounts because they’re more likely to be celebrities.

The notice to users says the malicious activity “was targeted at high-profile users,” and added extra vigilance, particularly if anyone encountered “unrecognised incoming calls, texts, and e-mails”.

It could be possible the Selena Gomez compromise was linked to this indirectly if an attacker managed to get her private contact details through the API then used those to social engineer their way into the account, or even took control exploiting an SS7 flaw to grab SMS OTPs.

As per usual though with no details all we are doing is speculating, and as it’s been fixed it’s very unlikely any details will be forthcoming – this is not the first Instagram leak and it won’t be the last.

As entertainment industry bible Variety has reported, someone recently hijacked actor Selena Gomez’s account to post Justin Beiber nudes.

While it’s feasible that Gomez was tricked into giving her credentials to an attacker who’d obtained her e-mail or phone number through the API bug, there’s nowhere near enough information to definitively link the two events.

The New York Daily News says Instagram confirmed to it that only one attacker had tried to exploit the bug.

Perhaps they should have been using something like Scumblr by Netflix to search their own API..

Facebook is a huge company with so many moving parts, it’s hard to see everything – there will be flaws, they will be found and they will be exploited. That’s just the nature of the Internet machine.

Source: The Register

Posted in: Hacking News, Privacy

Latest Posts:

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.

Comments are closed.