The startup that helped Instagram users gain popularity have unintentionally ditched their security, the service Social Captain inadvertently exposed users’ Instagram account passwords.
Recently, TechCrunch revealed details of a cybersecurity issue affecting Instagram users. Specifically, they disclosed bugs in the service Social Captain that put thousands of Instagram accounts at risk.
In brief, a researcher, whom they haven’t named, found that Social Captain stored Instagram users’ accounts in plain text. Anyone, after logging in to the app, could see their username and password in plain text when viewing the source code of their Social Captain profile page.
While this already posed a threat, things worsened further when the bug exposed users’ passwords to others. Specifically, anyone logged in to the service could simply view others’ passwords as well by simply replacing the unique account ID on the URL. This unique account ID was a sequential one, so anyone making sequential changes to one’s own ID could view others’ account credentials.
The researcher could scrape around 10,000 accounts. The scraped datasheet shared with TechCrunch also had information about the free or premium subscription of the user accounts. In the case of premium accounts, the data also included billing details.
Following this discovery, TechCrunch contacted Social Captain regarding the bug, who confirmed its existence. Besides, they also fixed the vulnerability by preventing access to other users’ profiles.