Download Your Data tool bug exposed passwords in plain text
The photo and video-sharing social networking app Instagram revealed that a bug in Download Your Data tool could have exposed users' passwords in plain text. The feature was released in April because of the GDPR requirements and allowed users to see what data was accumulated by the website.
The problem with the tool was that the pain text passwords were included in the URL of their browsers, potentially exposing this information to anybody. While the flaw has been fixed immediately and, according to Instagram's representatives, “affected a very small number of people,” many users were conserved about Instagram's security practices when it comes to personal data.
The exposed passwords were stored on Facebook's servers – a parent company of Instagram, although they since been deleted. Security researchers at The Information reported the following:
While this may seem somewhat harmless (the user sees his/her own password), it is actually quite dangerous. E-mail is not a secure communication channel for transmitting passwords.
The breach might seem minor but reveals more issues within Instagram's security procedures
The breach might seem minor, as it is only the user that views his/her password. However, in reality, the ordeal is a much more significant threat that one might expect. Multiple email providers might store messages on their servers without encrypting them, which might lead to exposure. Additionally, if the user viewed the email on a public computer, multiple other users might have seen their password.
Users often rely on the same passwords when it comes to multiple accounts. Therefore, the exposure of such password might endanger other sensitive data, such as banking details or social security numbers, which in itself can lead to identity fraud or money loss – not something anyone would want to experience.
According to a security researcher from Sophos, Chester Wisniewski, the exposure of passwords in plain text can be prevented entirely, as long as Instagram would not store any plain text passwords within their servers and rely on effective enciphering methods instead. He also noted that automated-only checks when testing new tools like Download Your Data is not an adequate practice.
Facebook came under the scrutiny before
Instagram is owned by Facebook, so it is not surprising that security researchers and users focus their attention on the company. It got a significant media and security regulating bodies attention when Cambridge Analytica scandal came to light. Since then, several other issues with data security has been flagged, including the latest breach in September. And now, once again, all the fingers are pointing towards the social media giant.
The Instagram platform itself has been affected by multiple issues as well. One of the most infamous hacks occurred in August when hackers managed to access account names, profile pictures, passwords, and email addresses, which were changed to a new email that came from Russian email provider, locking users out of their Instagram accounts.
It is not known how many users exactly were affected by the Download Your Data tool bug, but Instagram contacted each of the victims individually. While the flaw has been already fixed, those who did not receive an email and used the feature previously should change their passwords just a precautionary measure.