It looks like Instagram users are lucky that a vulnerability was never utilized - even though the bug was there for at least 6 months.
Barcelona-based security researcher Christian Lopez has just revealed that Facebook has effectively plugged a vulnerability within Instagram that would have enabled hackers to turn private photos public. According to Lopez, it took Facebook's security team nearly 6 months to fix the issue.
Here's what Lopez has to say about the bug in a blog post titled "How I hacked Instagram to see your private photos."
Certain actions of the instagram’s API were vulnerable to a cross-site request forgery (CSRF) attack. An attacker could execute unwanted actions on a web application in where the user (victim) is currently authenticated. A successful CSRF exploitation could compromise end user data (photos and personal information) by making public his Instagram profile.
The exploit apparently affected users who logged in via Instagram's web interface only - so mobile-only users were safe the whole time. In a statement, the Instagram team says that they have no evidence that any account was ever compromised using this bug.
— Christian Lopez (@phr0nak) February 10, 2014
"We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our parent company Facebook’s White Hat Program. We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it. Due to the responsible reporting of this issue to us, we do not have evidence of account compromise using this bug," said an Instagram spokesperson.
According to Forbes, Lopez was paid a "four figure" reward as part of Facebook's bug bounty program, which pays security experts for reporting flaws in its systems.
Still, the vulnerability existed for nearly 6 months–even after Lopez reported it. There's no telling how long it was active before the report.
"The vulnerability mentioned here has been confirmed patched by the Facebook Security Team. Although it has been almost six months exchanging mails to properly fix the application, I want to thank them for their great response, for their generous reward and for including me in their Hall of Fame," says Lopez.
Image via How To Cook That, YouTube