An Instagram password leak that has exposed about 10,000 scraped user accounts stems from a popular “bot” app used to automatically grow a following on the platform. The app SocialCaptain stored Instagram usernames and passwords in plaintext, visible by viewing the source code of the app’s profile page.
What makes the breach even more serious is that any SocialCaptain profile could be freely accessed by entering the app’s unique user ID into a public URL.
How did the SocialCaptain Instagram password leak happen?
Instagram is one of the biggest battlegrounds in the modern war for attention. Platform users, especially those that aspire to be “influencers” or public figures, feel considerable pressure to grow their following and engagement metrics on the platform.
Some turn to bots such as SocialCaptain, automated programs that perform outreach for the user by doing things like commenting on trending hashtags, “liking” the content of other users or simply matchmaking app users to each other. SocialCaptain users had connected their account to the app, which required them to trust it with their password.
SocialCaptain proved to be unworthy of that trust. Had the app simply been scraping and storing usernames and passwords in plaintext on a private company server, that would be bad enough. It took things to another level by making these account credentials visible through the web.
Each SocialCaptain user is assigned a unique user ID, which is entered into a URL to access their central profile page. This feature was apparently secured by nothing more than that unique ID. Anyone who knew the ID of another user could go directly to their profile, and then view the web page source code to see their Instagram username and password listed there out in the open. One could also experiment with the URLs by entering sequential numbers to come across random SocialCaptain accounts to exploit.
Though users should never be blamed for a security oversight of this magnitude, the SocialCaptain website does provide a good deal of warning that one is not engaging with the safest of business partners. No ownership, contact names or even a publisher name are listed; various owner names and addresses are listed on various sites. The Better Business Bureau says that it is owned by an Anthony Rogers of Newark, which is also the name returned by a whois search of the socialcaptain.com site. The official company page also offers to let you “buy Instagram likes” at the bottom, something that is prohibited by Instagram’s terms of service and can lead to an account ban if discovered.
The Instagram password leak was discovered by an anonymous security researcher, who alerted TechCrunch in late January. The researcher found a database of about 10,000 scraped accounts. About 4,700 of these accounts had usernames and passwords visible in plaintext. Of these, about 70 were paying SocialCaptain customers that had billing addresses attached to their accounts. Accounts that did not have passwords listed had their names and email addresses exposed to anyone who viewed the web page.
SocialCaptain stated that they had fixed the vulnerability allowing direct access to profiles via URL manipulation, but TechCrunch reported that passwords continue to be visible in the profile source code.
Another major breach for Instagram; second within a year
The 2019 Instagram password leak was also caused by a third party company that works with influencers, Mumbai-based Chtrbox. Though private contact information was exposed, that breach did not include Instagram login credentials nor did anyone have access to other users.
Any Instagram password leak necessarily has fallout for parent company Facebook, which has been struggling with its own string of security issues since the infamous Cambridge Analytica scandal broke. The company left 419 million private user phone numbers exposed in September, and had its own unprotected Amazon cloud server breach in April that impacted hundreds of millions of Instagram users and in some cases left passwords visible.
Facebook’s recent Q4 earnings call specified that the company will have a renewed focus on user privacy in 2020. One important step in this process is tighter scrutiny of third-party apps and services such as SocialCaptain. Facebook suspended tens of thousands of apps in 2019 for various privacy and security violations, but the recent Instagram password leak makes clear that more work needs to be done.
The Instagram password leak did not necessarily stem from bad intent; sometimes it’s simply a case of sloppy design. A company with Facebook’s resources should be able to identify and manage these sorts of issues. As Adam Brown, Security Solutions Manager at Synopsys Software Integrity Group, points out:
“Design flaws are the cause of approximately 50% of all software vulnerabilities. They are seldom detected without performing a design review as this activity requires select expertise. That said, in this case a penetration test should have easily identified this flaw.
“This is especially bad for affected users not just because their Instagram passwords are now breached, but also due to the fact that people commonly reuse passwords which could lead to unauthorised access of additional accounts by extension.”
Of course, Instagram and Facebook users should practice good security hygiene as well. As Tony Jarvis, Chief Technology Officer (Asia Pacific) at Check Point Software Technologies, points out:
“What we see here is yet another example of how integrating one type of user account into another service introduces an additional source of potential risk. With each service that has access to a user’s login details, a vulnerability in any of those platforms could lead to an account being compromised or details being exposed.
“It’s always prudent to consider who you are entrusting your login credentials to and the potential consequences should a breach occur. In this case, users of the service would be best advised to immediately change passwords for not only the affected account, but any other accounts sharing the same password. Be on the lookout for emails that may use the leaked data to craft more convincing phishing attacks, and monitor communications from such providers as they provide updates to customers following any such incidents.”