Sebastian Guerrero, an independent researcher in Barcelona says he’s discovered a way to force friendship with any Instagram user — private or public — by exploiting an Instagram server-side vulnerability. In one case, Guerrerro forced Mark Zuckerberg to follow his test account. Then Guerrerro sent him a message through a photo post, which would show up in Zuckerberg’s photo feed of people he follows. Guerrero also used a test account to follow a private user without the required approval from the private user.
On Wednesday night, Instagram issued a bug fix advisory that emphasizes that private data was kept safe:
We were recently alerted to a bug in the way our following / followers system works. Due to this bug, in very specific circumstances a following relationship could be created incorrectly.
We don’t have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher.
The technical researcher was not able to follow private users, nor were private users’ data ever at risk.
The bug was resolved and tested for integrity within a couple hours of being alerted to it.
Never in the course of the bug existing was users’ data at risk–and at no point were private photos made public.
However, Guerrero listed as one of the discovered vulnerabilities that he was “…[A]ble to access images taken by users of the application and the information posted on their profile. Also, it was found that this vulnerability also affects users whose album is private, allowing access to photos stored on it” — which apparently contradicts Instagram’s second and final points in their advisory. Hmm. While that could technically be true (Guerrero never posted or made public any actual photos from private users), his test appears to show that he was able to force a private user to allow his follow and therefore he could potentially have access to those photos. PC Mag also alleges there was a much longer delay than “a couple of hours” before the bug was fixed.
Nevertheless, Instagram says the bug is now fixed.