As reported by Instagram yesterday, criminals have been exploiting a bug in Instagram that allowed them to steal the credentials of Instagram users, including celebrities.
Kaspersky Lab researchers who noticed the bug notified Instagram on Tuesday, 29 August and have shared a brief technical analysis with the social media network.
The researchers discovered that the vulnerability exists in Instagram mobile version 8.5.1, released in 2016 (the current version is 12.0.0). The attack process is relatively simple: using the out-dated application the attacker selects the reset password option and captures the request using a web proxy.
They then select a victim and send a request to Instagram’s server carrying the target’s unique identifier or username. The server returns a JSON response with the victim’s personal information including sensitive data such as email and phone number.
The attacks are quite labor intensive: each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form.
The hackers were spotted on an underground forum, trading the personal credentials for celebrity accounts.