Security safety Consultant Arne Swinnen discovered vulnerabilities in the Instagram authorization system. According to security experts, the lack of authentication control and the vulnerability that allows a direct reference to the object in memory could allow criminals to hack around 4% of the current account (approximately 20 million) on Instagram. Hence, the current security problem was the temporary account lockout system.
During the security checks, the security safety Consultant Arne Swinnen found that the form of verification of accounts may differ.
Hacker Found Ways To Hack 20 Million Instagram Accounts
But, in some ways, the vulnerabilities were not revealed, while others allowed an attacker to access the account.
According to the security expert, 39,000 accounts could be accessed by changing the associated account phone number, a feat which also exposed a user’s phone digits as it was pre-filled into the form. In addition, a hacker could also potentially change the email address of 1700 members.
The Instagram owner, Facebook, paid Arne Swinnen (@arneswinnen) $US5000 for reporting the loopholes, slinging a patch within 10 days of the disclosure earlier this month.
“An attacker could gain access to the user’s personal information and easily change their phone numbers on the Instagram account. Hence, after you enter a new number, a hacker could also use the password change function via SMS and can gain full access to your account”.
As the security safety consultant Arne Swinnen says, “This case was the most troublesome, as an attacker could gather sensitive user information (pre-filled phone numbers) and, on the other hand, simply update the phone number linked to the victim’s Instagram account”.
Moreover, the security safety consultant Arne Swinnen also added that “quick manual checks found many of that phone number-exposed Instagram accounts were “mostly human” that had been inactive for a couple of weeks with a “good amount” of followers”.