Instagram has patched a flaw in its photo sharing application that could have allowed anyone to add themselves as friends to accounts and view information and photos that were set to private.
The vulnerability, discovered by Spanish security researcher Sebastián Guerrero, could have allowed an attacker to “carry out a brute force attack to be added as a friend to any account,” according to a post on his blog (Spanish). Dubbed the “Friendship Vulnerability” by Guerrero, the exploit bypassed the app’s friend request mechanism by tweaking the ‘field status’ and ‘user’ slots in the program’s API.
In a post on its help center, Instagram announced the bug could have been recreated “in very specific circumstances,” but insisted it was never taken advantage of, aside from Guerrero’s work. The post goes on to guarantee that Instagram users’ information was never at risk, private photos were not made public and that the bug was resolved hours after the company was notified.
Initially only available on iPhone, Instagram came to Android in April and was acquired by Facebook later that month for a whopping $1B in cash and stock. The app’s transition to the big stage has been relatively painless, save for the occasional fake version surfacing in app stores.