Until a week ago, any malicious person could make shielded photos on Instagram public due to a security leak in the social photo service. That only required a few lines of code. Instagram’s parent company Facebook has since closed the leak.
The leak, a so-called cross site request forgery, only required the lines of code that sent a request to Instagram to switch the account from private to public. The developer who discovered the vulnerability copied that request from Instagram’s Android app and applied it to the browser version. Because the browser version has no visible setting to switch posts from private to public, it happened in the background without the user noticing. In addition, the promotion did not require an extra step, so the user could be notified that private photos would now be publicly accessible.
A malicious person could have embed the code on a site and then trick logged-in users into that site. The developer notified Facebook in August. The first fix in September proved to be bypassed, after which the leak had to be repaired in a different way. Confirmation that the leak has been completely sealed came last week. Instagram now checks the user agent from which the request comes, so the setting can no longer be changed on the browser version. In addition, there is an extra check on the setting, whereby users confirm that they indeed want to make their photos public. The developer has been awarded a cash prize for reporting the leak.
The developer discovered the vulnerability while looking for vulnerabilities in Instagram’s iOS and Android apps. It is unclear whether malicious parties have previously discovered and exploited the vulnerability. Because the leak did not provide access to the account itself, users would have retained control of the account and were able to set the account back to private in the app.