The startup that has helped Instagram users gain popularity has inadvertently lost its security, with the service social captain inadvertently exposing users’ Instagram passwords.
Social Captain Bugs Exposed Data
Recently, TechCrunch detailed a cyber security issue affecting Instagram users. In particular, he revealed a bug in the service Social Captain that put thousands of Instagram accounts at risk. In short, a researcher, whom he did not name, found that Social Captain stored the accounts of Instagram users in plain text. Anyone, after logging into the app, could see their username and password in plain text, looking at the source code of their Social Captain profile page. While this was already a threat, things get worse when users uncover the passwords of others. In particular, anyone logged into the service can only see the password of others instead of the unique account ID on the URL. This specific account ID was a sequential one, so anyone who makes sequential changes to their own ID can see the credentials of others’ accounts. The researcher can scan around 10,000 accounts. The scraped datasheet shared with TechCrunch also contained information about free or premium subscriptions to user accounts. In case of premium accounts, the data also includes the billing statement.
After this discovery, TechCrunch contacted the social captain about the bug, which confirmed its existence. In addition, they also fixed the vulnerability by preventing access to other users’ profiles. Regarding how the bug appeared, Anthony Rogers, CEO social captain, said,
“Preliminary analysis suggests that the issue was introduced during the past week, when the endpoint, to facilitate integration with third-party email service, has been temporarily made accessible without token-based authentication.“
TechCrunch can confirm that their web page source code still shows account information. For now, the service is investigating the matter, after which, according to Rogers, they will notify users.
“As we finalize the internal investigation, we will alert users who could have been affected in the event of a breach and prompt them to update the respective username and password combinations.”
Let us know your thoughts in the comments.