Social Media Boosting Service Exposed Thousands of Instagram Passwords

An anonymous reader quotes a report from TechCrunch: A social media boosting startup, which bills itself as a service to increase a user's Instagram followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.

Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in -- simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account -- and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information with relative ease. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

"The spreadsheet contained about 4,700 complete sets of Instagram usernames and passwords," the report says. "The rest of the records contained just the user's name and their email address."

Forgot Encryption?

[The New Guy 2.0]

This site seems to have so little security, it seems to be an attempt to take over Instagram and down accounts of those seeking to be popular...

Re:

[The New Guy 2.0]

Because like on YouTube, it creates a small broadcaster-like audience, and that can be converted to money.

Re:

[Narcocide]

Yea, a view-source vulnerability?! This one reads like a staged "accident."

Hilarious

[JustAnotherOldGuy]

Flat out hilarious.

Users who are desperate to gain the tiniest slice of ego-boosting recognition through broadcasting their identity are now getting recognition from having their identity broadcast.

"I never thought leopards would eat MY face," sobs woman who voted for the Leopards Eating People's Faces Party.
 

Karma

[bobthesungeek76036]

They deserved everything that happened. Give a third-party my password. What could go wrong???

Re:

[The New Guy 2.0]

Uhm, we give Google e-mail passwords to servers we'd like to access through Gmail... then again, they're not as stupid as these guys.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[MobyDisk]

This is the kind of stuff that ought to get them sued. It isn't "hackers got into our stuff" it's "we didn't even bother to install a front door." Let's see:
1) Didn't implement OAuth (else they wouldn't even *have* your Instagram password)
2) Didn't encrypt passwords (if they stored them to login to your IG account, then they couldn't one-way hash them)
3) Didn't bother to check security when the user accessed the page

So no security at all.

Ha ha ha ha

[JustAnotherOldGuy]

Simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account

Code Comment: It was a feature not a bug, I swear it!!

Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight

Code Comment: Okay, that one was a bug, whoops my bad lol maybe fix it in rev 2 maybe not c