Instagram: do it in the service that makes followers grow. Password at risk: change them!
Social Captain, a service that promises to grow followers of an Instagram account, has kept the access passwords of users clear, exposing them to the possibility of leakage.
Security issue for Instagram users: Social Captain, a ” boosting ” service that offers the possibility of increasing the number of followers, has exposed thousands of Instagram account passwords. TechCrunch gives us news, receiving and retransmitting the discovery of a security researcher who wanted to remain anonymous.
Those who want to take advantage of this service must register with Social Captain by creating a user, and then insert their login credentials to Instagram so that the service can do its job. The problem is that Social Captain has kept the user/password pairs of the Instagram accounts in plain, unencrypted text: a user viewing the source code of his page on Social Captain would have seen the username and password of his linked Instagram account in clear.
But that’s not all: a bug on the site allowed access to the profile page of any Social Captain user without the need to log in, simply by entering the unique account ID in the web address of the service. Since the account IDs are sequential, theoretically it has been possible to access a large number of accounts and view Instagram username and password, and other information, with relative ease.
The researcher, who probably used this mode, gave TechCrunch a list of around 10,000,000 items. The document contains a total of 4700 complete user/password pairs, while the remaining entries are single user names or email addresses. From the document, it is also possible to distinguish the free accounts from the paid ones: the latter is just 70, but for many of them, it is also possible to trace the customer’s billing address.
Have you used Social Captain? Change your Instagram password
TechCrunch contacted Social Captain, who confirmed that he had solved the vulnerability by avoiding direct access to other user profiles. There is still the possibility of being able to trace the account information by exploring the source code of each user’s page.
” Initial analyses to indicate that the problem has occurred over the past few weeks when the endpoint, to facilitate integration with a third-party email service, was temporarily made accessible without token-based authorization. As soon as we conclude, the ” Internal investigation will notify users who may have been involved in the event of a violation and invite them to update their credentials, ” said Anthony Rogers, CEO of Social Captain, who did not detail how long the investigation will last.
” We are investigating and will take appropriate action. We encourage people not to give their passwords to someone they don’t know or don’t trust, ” said an Instagram spokesperson, indicating that the Social Captain service violates its terms of use. Having improperly kept the login credentials.
Anyone who has used the Social Captain service should immediately change their Instagram passwords.