In a recent hack, an Instagram bug was exploited to gain unauthorised access to about 6 million users accounts and their credentials. The hackers made use of a bug in Instagram’s API and gained access to high-profile user’s contact numbers and email addresses. Instagram has not given provided any info regarding who the affected users are or how the hackers gained access to user’s Insta, however, this news came two days after hackers gained access to Instagram’s most-followed user’s account, Selena Gomez, and posted private pictures of her ex-boyfriend Justin Bieber.
Kaspersky has conducted an in-depth analysis on the latest Instagram hack. They have provided us with the technical details and a brief analysis of how the perpetrators gained access to such a popular and supposedly “secure” platform such as Instagram.
Kaspersky researchers discovered that the vulnerability which allowed hackers to gain unauthorized access to Instagram exists in its mobile app version 8.5.1 which was released back in 2016. The current version of the Instagram mobile app is 12.0. Researchers point out that the attack method was relatively simple. Using the outdated application, the attacker selects the reset password option and captures the request using a web proxy. Then they target a victim and send a request to Instagram’s server carrying the target’s username. The server returns a JSON response with the victim’s personal information including sensitive data such as email and phone number.
Even if the attack is simple, it is quite a labor intensive task as each attack has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form. Kaspersky also reveals that the hackers were spotted on an underground forum, trading the personal credentials for celebrity accounts.
Altaf Halde, MD- South Asia, Kaspersky Lab advises users who are still running older versions of the Instagram software to immediately update to the latest available version. Kaspersky also advises users to stay safe on social media by using different email addresses for different social platforms, reporting any concerns or irregularities to the network and, most of all if users receive emails about a password restore that they have not initiated, alert the corresponding service immediately. Kaspersky has already shared this brief technical analysis with Instagram.