Instagram was never the most private of apps. The photos you share there are public by default, meaning they’re visible to all of your followers. And you can “follow” any Instagram user you like—unless that user has selected the “photos are private” option in the app’s privacy settings. In that case, the user has to approve your follow request before you can see any of their photos.
But it turns out that the privacy option may be less private than users thought.
Sebastián Guerrero, an independent security researcher in Spain who is also known by the Twitter handle 0xroot, disclosed today on his blog (English translation here) that he’s discovered a loophole in Instagram’s code that could allow malicious hackers to bypass the approval process for private accounts. By exploiting the vulnerability, hackers could add themselves as followers to any Instagram account—even private accounts—without permission. From there, they could access any photo or album associated with an account.
Guerrero published the details of the weakness early today, calling it the “Friendship Vulnerability.” In a tweet, he says he notified Instagram about the problem, but has received no response. “They didn’t answer me. So I took the decision to make it public,” Guerrero said.
Instagram is used by more than 50 million people and is the most popular photo-sharing app for Apple and Android smartphones. In April, Facebook paid $1 billion for the San Francisco-based startup that developed the app.
In his post, Guerrero details the mechanism by which an outsider could gain access to an Instagram user’s friend list. It exploits a similarity in the way the app handles approved and rejected friendship requests. In essence, Guerrero showed that it’s possible to trick Instagram’s servers into adding a new follower to any account, even if the account is private.
To drive home the point, Guerrero showed an example in which he added himself to Facebook CEO Mark Zuckerberg’s Instagram friend list, and even sent Zuckerberg a message. “Congratulations Mark for Instagram acquisition,” the message read. “When would it be eligible for bounty bug program?”
Stephen Cobb, a security evangelist for Bratislava, Slovakia-based ESET, blasted Instagram over the vulnerability in a blog post this afternoon, calling it “the kind of programming mistake that should not find its way into production, often indicative of a lack of adequate code review and pre-production testing.”
“While we wait for this vulnerability to be solved, our best advice to all Instagram users is not to store any sensitive pictures using this app because, by exploiting this vulnerability, just about anyone could access your profile and see it,” wrote Cobb, who works from ESET’s North American headquarters in San Diego.
Instagram makes clear in its public FAQ that users shouldn’t expect privacy by default—but it also promises that users can control who follows them. “We have adopted a follower model that means if you’re ‘public’ on Instagram, anyone can subscribe to follow your photos,” the company writes. “We do, however, have a special private option. In this mode, a user can make sure he/she must approve all follow requests before they go through.”
Neither Instagram nor Facebook have commented publicly on the alleged vulnerability. Facebook did not immediately respond to an e-mail requesting comment.
Update 7/12/12 8:00 am: Instagram has posted a Help Center page acknowledging the vulnerability and stating that it has been “resolved.” The company says there’s no evidence that anyone took advantage of the exploit other than “very minimal experiments by a technical researcher.”
Contradicting Guerrero’s claims, Instagram said “the technical researcher was not able to follow private users” and that no private photos were made public. Guerrero confirmed in a tweet that the vulnerability has been fixed.
Here’s the full text of Instagram’s statement:
We were recently alerted to a bug in the way our following / followers system works. Due to this bug, in very specific circumstances a following relationship could be created incorrectly.
More information:
* We don’t have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher.
* The technical researcher was not able to follow private users, nor were private users’ data ever at risk.
* The bug was resolved and tested for integrity within a couple hours of being alerted to it.
* Never in the course of the bug existing was users’ data at risk–and at no point were private photos made public.
