Instagram vulnerability: Anyone can add you, see your photos

Instagram vulnerability: Anyone can add you, see your photos

Summary: A new security flaw has been discovered in Instagram that allows a perpetrator to add anyone as a friend and see their private photos and profile information. Facebook has been contacted. While we wait for an explanation and/or a fix, please be wary of what you upload to the service.

Instagram vulnerability: Anyone can add you, see your photos

Spanish security researcher Sebastián Guerrero has discovered a flaw in Instagram which he has dubbed the "Friendship Vulnerability." In short, it allows anyone to add themselves as a friend to your Instagram account. As a result, they can then view photos you have set to Private as well as profile information.

Guerrero blames the bug on Instagram's "lack of control on the logic applied to authorization feature." He explains that both the iPhone and Android apps are affected by the remote vulnerability. Furthermore, the security researcher notes that an attacker could attempt a brute force attack where he or she adds themselves as a friend to a list of users and then steals all their private albums.

In one example, Guerrero adds himself to Facebook co-founder and CEO Mark Zuckerberg's account (as you can see in the screenshot above). He then sends Zuckerberg a personal message of congratulation for buying Instagram:

Congratulations Mark for Instagram acquisition. When would it be eligible under the bounty bug program? :):)

Guerrero says he has already contacted Instagram with details of the flaw. I have contacted Facebook, which is in the process of acquiring the company, and will update you if I hear back.

In the meantime, if you use Instagram, make sure you do not store sensitive pictures on the service. That's a general rule: do not upload anything to the Internet that you are uncomfortable with everyone seeing.

Hat tip to ESET for letting me about this flaw.

Update - Instagram is downplaying this issue by saying the following:

  • We don't have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher.
  • The technical researcher was not able to follow private users, nor were private users' data ever at risk.
  • The bug was resolved and tested for integrity within a couple hours of being alerted to it.
  • Never in the course of the bug existing was users' data at risk--and at no point were private photos made public.

Instagram also said the bug only affected "very specific circumstances" where "a following relationship could be created incorrectly." The company says it has fixed the bug in question and Guerrero confirmed via Twitter. All is well once again.

See also:

Topics: Security, Android, Apps, iPhone, Mobility

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I must be missing something

    I can take a photo and immediately store it on Skydrive, publish it on social networking or send it in an email looking like I shot it or edited it on the phone. Why would I use a service that cuts my photo to 4:3 and degrades it with filters?

    Perhaps someone could enlighten me about the advantages of Instagram?
  • Because it's easy...

    Yes. I can do all that to. But Instagram isn't about quality really, it's about being simple enough so that anyon can use it. You just click and upload and everyone else can see (and judge) your pictures. It's more of a quick-photo-blog thingy than really a photapp.

    About everyone being able to view your photos thought, well, don't take pictures you would label "pivate". Of course everyone can see your pictures, the same goes for almost every other photosharing service on the net. Thinking othervise is being naive.
    Mikael Guggenheim
    • Yeh

      And I appologize for my lousy spelling...
      Mikael Guggenheim