A social security vulnerability made the names and phone numbers of all its members accessible to hackers, Forbes magazine reveals.
This vulnerability, which has now been fixed, affected the connection and synchronization features of Instagram contacts. It allowed hackers to check whether phone numbers were linked to accounts and to know the names of people associated with those numbers.
The activist hacker who discovered the flaw, ZHacker13, explains that it could have been exploited by brute-force attack, that is, by one-to-one testing of phone numbers to see if they were associated with an Instagram account.
A malicious actor could have built an algorithm to accomplish this task in order to extract all this information from the social network database.
It would then be sufficient to create an account and use the contact synchronization feature to associate these phone numbers with the accounts and names of members of the social network. This process could also have been automated using algorithms.
“Theoretically, I could have obtained the personal details of anyone who is registered with Instagram,” summarizes ZHacker13.
The flaw was corrected after the hacker informed Facebook, Instagram’s parent company, of its existence.
This news comes less than two weeks after it was revealed that phone numbers linked to more than 400 million Facebook accounts were stored online, at the mercy of malicious use.