New Instagram bug raises security questions

Updated November 18, 2018

Email

The breach was linked to the "download your data" tool which lets users see how much data the site has collected.— AFP/file
The breach was linked to the "download your data" tool which lets users see how much data the site has collected.— AFP/file

Instagram users were notified of a new security flaw that may have revealed their passwords to the public eye, raising concerns about the strength of the social networking service's security measures among security researchers, The Information reported on Friday.

The security breach was ironically linked to the “download your data” feature introduced to users in April which let them see the extent to which their personal data had been collected by the site, said The Information.

"'Download Your Data' lets users download all the data that Instagram has on them, both to comply with new European data-privacy regulations and to satisfy increasingly privacy-sensitive users around the world," the tech website reported.

Users were told on Thursday their passwords were inadvertently exposed by being included in the URL of their web browsers, according to the notice that was sent to users.

This means that if anyone used the Instagram tool on a computer open to use by the public, others could have viewed the password, The Information reveals.

According to the wesbite, Instagram's notice to users warned that the passwords were also stored on Facebook’s computers.

An Instagram spokesperson on Friday said the issue was "discovered internally and affected a very small number of people", The Information said.

The tech news website reports that Chet Wisniewski, a principal research scientist at security firm Sophos has said that if Instagram were storing passwords with the right encryption technology, this type of flaw shouldn’t be possible.

He said the only way it could show up in the URL is if the password were stored somewhere inside of Instagram in plain text, which isn’t recommended in the security industry.

“This is very concerning about other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that,” he added.

The breach is the latest in the line of security issues to hit Facebook, which last announced a breach in September. The leak "compromised the personal information of more than 30 million users, including gender, work, birthday and location" as reported by The Information.

The breach took place on the Facebook app, but this new incident points towards the possibility that Facebook's other apps may contain security flaws as well.

The Information previously reported that Facebook is in the market to acquire a security company to beef up its defenses against hackers and try to avoid these kinds of mistakes.

The tech website also reported that Facebook said in a message sent out to some Instagram users that it has since changed the “Download Your Data” tool so that this bug no longer occurs. Instagram told users they should update their passwords and clear their browser history.