Turns out that “Private” is just a word when it comes to your pictures on Instagram. Andy Greenberg reveals a huge security hole in Instagram that had been present in the app for at least six months. Using a common hacking technique called cross-site request forgery, security researcher Christian Lopez discovered hole in Instagram. You could switch a user’s profile settings from private to public. So if someone wanted, they could download all the user’s pictures and switch the profile back to private before anyone was the wiser.
Lopez contacted Facebook’s security team in August to report the bug. Facebook gave him a an award as part of the “bug bounty” program. However, Facebook could not properly fix the hole until last week. So private pictures were at risk for almost six months.
We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our parent company Facebook’s White Hat Program. We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it. Due to the responsible reporting of this issue to us, we do not have evidence of account compromise using this bug.