It would seem that Facebooks’ Instagram frequently makes it to the news due to its security glitches. Recently, a researcher discovered an Instagram flaw that could let an adversary link users’ contact numbers with their PII data.
A security researcher with alias ZHacker discovered a security flaw in Instagram exposing users’ account data. As disclosed by Forbes, the researcher found that the flaw exposed Instagram users’ phone numbers linked to their accounts and real names.
Elaborating the discovery, Zak Doffman from Forbes stated that the bug existed in Instagram’s contact importer feature. Abusing this platform together with a brute force attack on the platform’s login form could allow the exploit. As stated in the blog post,
Specifically, the attack begins when the attacker brute forces a contact number on the platform’s login form for a live account. Extracting contact numbers from Instagram is easily possible using an algorithm which harvests 1000 numbers a day. Then, abusing Instagram’s Sync Contacts feature, the attacker could find the account linked with that phone number.
Though the attack had some limitations, it still remained a serious issue with regards to users’ privacy.