Published: August 31, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Facebook-owned company with 1 billion worldwide users made the “not-so-good-news” headlines due to a recent software flaw. The security flaw found on the mammoth photo-sharing app allowed anyone to view and comment on user posts without legitimately being a follower of their Instagram account, whether they allowed it or not. Despite the creepy feeling that anyone can see your photos and posts, the security bug can also lead to brute-force media ID’s, exposing users to further data vulnerability on the platform.
The researcher who discovered the flaw was paid $30,000 as part of Facebook’s bug bounty program. The researcher noted “This bug could have allowed a malicious user to view targeted media on Instagram. An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.” The bug can also lead to attacker’s brute-forcing a media ID, allowing them to access and store specific media details and later filter those that are private and archived. The bug also exposes a user’s link to their Facebook page. In addition, access to a private Instagram account could lead to identity theft, harassment, blackmail and more.
What to Do
Instagram released a patch for this vulnerability shortly after its discovery. Users are reminded to update security patches as soon as they are available since waiting is always a risky option. Changing your password after any security flaw, no matter how small, is always recommended. Doing so in combination with using 2FA (two-factor-authentication) provides a level of bolstered security that every user should have for their account. Also, be aware of what you’re posting because, as in this case, you never know who is viewing it and what they may do with it. Too much information can backfire and at some point, be used against you. Only a hacker wants that to happen, so be cyber-smart and don’t give them what they want.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org