Security issue for Instagram users: Social Captain, a "boosting" service that offers the possibility of increasing the number of followers, he has exposed thousands of Instagram account passwords. TechCrunch gives us the news, receiving and retransmitting the discovery of a security researcher who wanted to remain anonymous.
Those who want to take advantage of this service must register with Social Captain by creating a user, and then enter their login credentials to Instagram so that the service can do its job. The problem that Social Captain has kept the username / password pairs of the Instagram accounts in plain text: a user viewing the source code of their page on Social Captain would have seen in clear the username and password of your Instagram account connected.
But it doesn't end there: a bug on the site has allowed access to the profile page of any Social Captain user without the need to log in, simply by entering the unique account ID in the web address of the service. Since account IDs are sequential, theoretically it was possible to access a large number of accounts and view Instagram username and password, and other information, with relative ease.
The researcher, who probably used this mode, handed over to TechCrunch a list of about 10,000,000 items. The document contains 4700 complete user / password pairs, while the remaining entries are single user names or email addresses. From the document it is also possible to distinguish free accounts from paid ones: the latter are just 70, but for many of them it is also possible to trace the customer's billing address.
Have you used Social Captain? Change your Instagram password
TechCrunch contacted Social Captain, who confirmed that he had solved the vulnerability by avoiding direct access to other user profiles. It remains for the possibility of be able to trace your account information going to explore the source code of each user's page.
"The first analyzes indicate that the problem occurred during the past weeks when the endpoint, in order to facilitate integration with a third-party email service, was temporarily made accessible without token-based authorization. As soon as we conclude the investigation we will notify users who may have been involved in the event of a violation and invite them to update their credentials, "he said. Anthony Rogers, CEO of Social Captain, which does not detail how long the investigation will last.
"We are investigating and will take appropriate action. We encourage people not to give their passwords to someone they don't know or trust," he said. declared an Instagram spokesman, indicating that the Social Captain service violates its terms of use by improperly retaining the login credentials.
Anyone who has made use of the Social Captain service should change Instagram passwords immediately.
