Instagram and the Friendship Vulnerability.
Adam Rifkin stashed this in Instagram!
Stashed in: Facebook!, Zuck!, Privacy!
Wade Roush noted yesterday:
Sebastián Guerrero, an independent security researcher in Spain who is also known by the Twitter handle 0xroot, disclosed today on his blog (English translation here) that he’s discovered a loophole in Instagram’s code that could allow malicious hackers to bypass the approval process for private accounts. By exploiting the vulnerability, hackers could add themselves as followers to any Instagram account—even private accounts—without permission. From there, they could access any photo or album associated with an account.
Guerrero published the details of the weakness early today, calling it the “Friendship Vulnerability.” In a tweet, he says he notified Instagram about the problem, but has received no response. “They didn’t answer me. So I took the decision to make it public,” Guerrero said.
To drive home the point, Guerrero showed an example in which he added himself to Facebook CEO Mark Zuckerberg’s Instagram friend list, and even sent Zuckerberg a message. “Congratulations Mark for Instagram acquisition,” the message read. “When would it be eligible for bounty bug program?”
Stephen Cobb, a security evangelist for Bratislava, Slovakia-based ESET, blasted Instagram over the vulnerability in a blog post this afternoon, calling it “the kind of programming mistake that should not find its way into production, often indicative of a lack of adequate code review and pre-production testing.”
Three thoughts:
1. Neither Instagram nor Facebook commented publicly on the alleged vulnerability. It's still very much the case that "privacy" is an annoying thing that Facebook Inc would like to eradicate, chipping away slowly at it over time with the prevailing attitude of "What's the most we can get away with?" not "How can we defend users' privacy?"
Zuckerberg, let us not forget, is the person who invented privacy as a feature.
2. Instagram makes clear in its public FAQ that users shouldn’t expect privacy by default. Because really, why would anyone using Instagram to take personal pictures want privacy for those pictures? Instagram's attitude is more compatible with Facebook's than I originally realized.
3. Instagram resolved the vulnerability within a day, but never apologized for having the vulnerability. They figured that since it never got exploited, no harm no foul, right?
Expect Instagram to behave more like Facebook, the more Facebook's DNA infects Instagram like the black goo in Prometheus.
Such is the nature of when your favorite app sells out.
3:24 PM Jul 12 2012