Sebastian Guerrero, an independent researcher in Barcelona says he’s discovered a way to force friendship with any Instagram user — private or public — by exploiting an Instagram server-side vulnerability. In one case, Guerrerro forced Mark Zuckerberg to follow his test account. Then Guerrerro sent him a message through a photo post, which would show up in Zuckerberg’s photo feed of people he follows. Guerrero also used a test account to follow a private user without the required approval from the private user.
On Wednesday night, Instagram issued a bug fix advisory that emphasizes that private data was kept safe:
However, Guerrero listed as one of the discovered vulnerabilities that he was “…[A]ble to access images taken by users of the application and the information posted on their profile. Also, it was found that this vulnerability also affects users whose album is private, allowing access to photos stored on it” — which apparently contradicts Instagram’s second and final points in their advisory. Hmm. While that could technically be true (Guerrero never posted or made public any actual photos from private users), his test appears to show that he was able to force a private user to allow his follow and therefore he could potentially have access to those photos. PC Mag also alleges there was a much longer delay than “a couple of hours” before the bug was fixed.
Nevertheless, Instagram says the bug is now fixed.
