Instagram vulnerability: Anyone can add you, see your photos

A new security flaw has been discovered in Instagram that allows a perpetrator to add anyone as a friend and see their private photos and profile information. Facebook has been contacted. While we wait for an explanation and/or a fix, please be wary of what you upload to the service.
Written by Emil Protalinski, Contributor
Instagram vulnerability: Anyone can add you, see your photos

Spanish security researcher Sebastián Guerrero has discovered a flaw in Instagram which he has dubbed the "Friendship Vulnerability." In short, it allows anyone to add themselves as a friend to your Instagram account. As a result, they can then view photos you have set to Private as well as profile information.

Guerrero blames the bug on Instagram's "lack of control on the logic applied to authorization feature." He explains that both the iPhone and Android apps are affected by the remote vulnerability. Furthermore, the security researcher notes that an attacker could attempt a brute force attack where he or she adds themselves as a friend to a list of users and then steals all their private albums.

In one example, Guerrero adds himself to Facebook co-founder and CEO Mark Zuckerberg's account (as you can see in the screenshot above). He then sends Zuckerberg a personal message of congratulation for buying Instagram:

Congratulations Mark for Instagram acquisition. When would it be eligible under the bounty bug program? :):)

Guerrero says he has already contacted Instagram with details of the flaw. I have contacted Facebook, which is in the process of acquiring the company, and will update you if I hear back.

In the meantime, if you use Instagram, make sure you do not store sensitive pictures on the service. That's a general rule: do not upload anything to the Internet that you are uncomfortable with everyone seeing.

Hat tip to ESET for letting me about this flaw.

Update - Instagram is downplaying this issue by saying the following:

  • We don't have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher.
  • The technical researcher was not able to follow private users, nor were private users' data ever at risk.
  • The bug was resolved and tested for integrity within a couple hours of being alerted to it.
  • Never in the course of the bug existing was users' data at risk--and at no point were private photos made public.

Instagram also said the bug only affected "very specific circumstances" where "a following relationship could be created incorrectly." The company says it has fixed the bug in question and Guerrero confirmed via Twitter. All is well once again.

See also:

Editorial standards