Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Social Networks Privacy Security Technology

Social Media Boosting Service Exposed Thousands of Instagram Passwords (techcrunch.com) 11

An anonymous reader quotes a report from TechCrunch: A social media boosting startup, which bills itself as a service to increase a user's Instagram followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.

Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in -- simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account -- and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information with relative ease.
The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

"The spreadsheet contained about 4,700 complete sets of Instagram usernames and passwords," the report says. "The rest of the records contained just the user's name and their email address."
This discussion has been archived. No new comments can be posted.

Social Media Boosting Service Exposed Thousands of Instagram Passwords

Comments Filter:
  • This site seems to have so little security, it seems to be an attempt to take over Instagram and down accounts of those seeking to be popular...

  • Hilarious (Score:5, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Friday January 31, 2020 @07:30PM (#59677002) Journal

    Flat out hilarious.

    Users who are desperate to gain the tiniest slice of ego-boosting recognition through broadcasting their identity are now getting recognition from having their identity broadcast.

    "I never thought leopards would eat MY face," sobs woman who voted for the Leopards Eating People's Faces Party.
     

  • They deserved everything that happened. Give a third-party my password. What could go wrong???
    • Uhm, we give Google e-mail passwords to servers we'd like to access through Gmail... then again, they're not as stupid as these guys.

  • by account_deleted ( 4530225 ) on Friday January 31, 2020 @07:58PM (#59677050)
    Comment removed based on user account deletion
    • by MobyDisk ( 75490 )

      This is the kind of stuff that ought to get them sued. It isn't "hackers got into our stuff" it's "we didn't even bother to install a front door." Let's see:
      1) Didn't implement OAuth (else they wouldn't even *have* your Instagram password)
      2) Didn't encrypt passwords (if they stored them to login to your IG account, then they couldn't one-way hash them)
      3) Didn't bother to check security when the user accessed the page

      So no security at all.

  • Simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account

    Code Comment: It was a feature not a bug, I swear it!!

    Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight

    Code Comment: Okay, that one was a bug, whoops my bad lol maybe fix it in rev 2 maybe not c

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...