Facebook has patched two vulnerabilities which affected approximately one million users of Instagram and left their accounts open to compromise.
The social networking giant awarded $5,000 to Belgian security researcher Arne Swinnen, who discovered the security flaw, as part of the firm's bug bounty program.
According to a blog post published on Friday, Swinnen came across two security weaknesses while accessing an old test account on the photo-sharing platform. The researcher has disclosed Instagram vulnerabilities in years past, and once he returned to his test account, Swinnen was redirected to a page which required account verification due to inactivity.
There was no linked phone number on this account, so Swinnen's only available option was through email verification.
The security researcher quickly noticed that the page not only contained missing authentication protocols but the address also included the Instagram account's unique user ID. While this in itself isn't necessarily a problem, by plugging in the right numbers, Swinnen was able to visit the landing pages of a small percentage of temporarily locked accounts -- and was then able to update their email addresses.
"Once an attacker could set the email address linked to an Instagram account, he/she could perform a password reset via email and gain full access to it," the researcher notes. "Big security impact, but only 0.17 percent of accounts affected."
Overall, the problem affected four percent of existing and active Instagram accounts in a locked state, which equates to approximately one million users.
With further exploration, the researcher found he was also able to update and change phone numbers linked to these vulnerable accounts, perform the "reset password via SMS" process and then completely take over an account.
According to Swinnen, a quick check revealed a number of these accounts which could have been compromised had only been inactive for a few weeks and supported a strong following.
Swinnen was not able to reproduce the account takeover attacks himself as this would have required him to take over legitimate user accounts -- which lead to the area of unethical hacking. While the researcher mentioned this to Facebook, it did not seem to matter as the company accepted the missing authentication and insecure direct object reference vulnerabilities existed.
The bug was submitted to Facebook on 14 March. Swinnen says Facebook took no more than 24 hours to patch the problem by enforcing authentication protocols on pages which allow users to update their profile information. The bug bounty reward was issued 10 days later.