CSRF Vulnerability in Instagram Allowed Hackers to Make Private Profiles Public

CSRF vulnerability in Instagram fixed by Facebook

Independent security researcher Christian Lopez Martin has identified a cross-site reference forgery (CSRF) vulnerability in Instagram that could have been leveraged to gain access to users’ photos and information by making their private profiles public.

The expert found that the service didn’t use any mechanism to prevent CSRF attacks. This allowed him to create a simple CSRF exploit.

The security hole was first reported to Facebook on August 22, 2013. Facebook deployed a fix on September 6, but the researcher found a way to bypass it.

A second fix was rolled out, but it too turned out to be ineffective. Instagram was properly patched against CSRF attacks only on February 4, 2014.

Additional technical details on this Instagram CSRF vulnerability are available on the security researcher’s blog.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s