Facebook has patched two security flaws in its Instagram mobile photo-sharing service that could have allowed attackers to take over users’ accounts.
Both flaws could have allowed an attacker to guess a user’s password by making a large number of guesses, known as a “brute-force” attack, according to Belgian computer security researcher Arne Swinnen, who discovered the bugs.
“Therefore, exploitation of these issues could have resulted in the compromise of millions of the 400+ million active Instagram accounts – especially those with predictable passwords,” he said in an advisory.
The flaws are the latest indication of insecurity in social media services, which has resulted in thefts of user data and the takeover of high-profile user accounts becoming increasingly routine.
Swinnen pointed out that both of the flaws resulted from the lack of basic security precautions to limit the number of incorrect guesses that could be made in user logins.
The first issue involved Instagram’s Android app, which allowed roughly 1,000 guesses from a unique IP address before delivering an error message.
Bizarrely, the error message persisted for another 1,000 guesses, after which login attempts were again allowed, although they alternated with the error message, Swinnen said.
“This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received,” he wrote. “The only limitation of this attack was that on average, two authentication requests had to be made for one reliable password guess attempt.”
He said he was able to write a Python script that launched an attack using 10,000 popular passwords against a test Instagram account.
The second issue involved Instagram’s web portal login, which also lacked any feature effectively limiting the number of password guesses for an account and didn’t lock accounts targeted by a brute-force attack.
Swinnen said Facebook fixed both bugs by introducing more effective rate-limiting controls and also tightened restrictions on extremely easy-to-guess passwords such as “123456” or “password”.
Facebook awarded Swinnen a $5,000 (£3,400) bounty for the flaws.
Instagram introduced two-factor authentication in February, nearly five years after its parent company Facebook brought in the technique.
Are you a security pro? Try our quiz!
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…