Instagram Bug Exposed Private Accounts, Allowing Unfettered Access to Archived Content

June 15, 2021

Instagram has resolved a significant vulnerability that permitted anyone to access archived posts and stories from private accounts without needing to follow them. Security researcher Mayur Fartade revealed in a Medium post today that “this bug could have allowed a malicious user to view targeted media on Instagram.” By leveraging the Media ID, an attacker could see details of private posts, stories, reels, and IGTV videos without following the user. Fartade reported the issue to Facebook’s security team on April 16, 2021, and the flaw was patched on June 15, leading to a $30,000 reward for his efforts through the company’s bug bounty program. Although exploiting this vulnerability required knowledge of the media ID, Fartade demonstrated that by brute-forcing the identifiers, it was feasible to send a POST request to a GraphQL endpoint and access sensitive information. As a result of this flaw, details like likes, comments, and saves could have been exposed.

Instagram Security Vulnerability Exposed Private Accounts

June 15, 2021

Instagram has recently addressed a significant security vulnerability that permitted unauthorized access to archived media from private accounts. This flaw allowed any individual to view posts and stories of users without needing to follow them, raising serious concerns about personal data protection on the platform.

According to security researcher Mayur Fartade, who disclosed the issue, the vulnerability had the potential to enable malicious actors to access sensitive media, including private posts, stories, reels, and IGTV videos. Fartade detailed in a Medium post that this access was made possible through the exploitation of Media IDs associated with specific images, videos, or albums. By employing brute-force methods to identify these IDs, an attacker could craft a POST request to a GraphQL endpoint, thereby retrieving private data.

Fartade reported the issue to Facebook’s security team on April 16, 2021, and the flaw was officially patched by June 15. In recognition of his efforts to secure the platform, he was awarded $30,000 as part of Facebook’s bug bounty program.

While the vulnerability required knowledge of Media IDs, its existence underscores a broader risk within social media platforms regarding the accessibility of private user information. The ramifications of such breaches extend beyond individual privacy, posing significant risks to businesses and organizations that rely on these platforms for marketing and community engagement. In the current cybersecurity landscape, where data privacy is of utmost importance, this incident serves as a stark reminder of potential vulnerabilities inherent in digital services.

The attack reflects a concerning use of initial access tactics as outlined in the MITRE ATT&CK framework. Specifically, the technique of exploitation of public-facing applications may have been applicable, as attackers sought entry points to access unguarded data. Furthermore, the ability to manipulate identifiers aligns with tactics associated with credential dumping, wherein adversaries harvest privileged information to gain illicit access.

Business owners must remain vigilant and proactive regarding their own data security measures, particularly as social media platforms continue to evolve. They should ensure that appropriate safeguards are in place to protect sensitive information and regularly review the security protocols of any platforms they utilize. The Instagram incident reinforces the necessity of constant vigilance in the face of continually emerging threats in the digital landscape.

Source link

Related Posts

Apple Issues Critical Security Updates for Zero-Day Vulnerabilities Amid Active Exploits

On May 4, 2021, Apple launched urgent security updates for iOS, macOS, and watchOS to tackle three zero-day vulnerabilities and to enhance protections for a fourth flaw that may have been actively exploited. These vulnerabilities, primarily affecting WebKit—the engine behind Safari and other browsers on iOS—could allow attackers to execute arbitrary code on targeted devices. Here’s a summary of the three security issues:

  • CVE-2021-30663: An integer overflow vulnerability exploitable via crafted web content, potentially leading to code execution. This was mitigated through improved input validation.

  • CVE-2021-30665: A memory corruption issue that could be leveraged to create malicious web content, resulting in code execution. This was remedied with enhanced state management.

  • CVE-2021-30666: A buffer overflow vulnerability that might be exploited to generate malicious web content, leading to…

New Spectre Vulnerabilities in Intel and AMD CPUs Impact Billions of Devices

May 06, 2021

Since the revelation of Spectre, a serious vulnerability affecting modern processors, in January 2018, experts have warned that the issue is challenging to resolve, leading to its continued prevalence. Over three years later, researchers from the University of Virginia and the University of California, San Diego, have uncovered a new method of attack that circumvents existing Spectre defenses. This discovery places virtually all systems—including desktops, laptops, cloud servers, and smartphones—at significant risk once again. The initial disclosures of Spectre and Meltdown opened the floodgates to numerous attack variants, and the problem seems far from resolved, even as manufacturers strive to enhance security.

Critical Vulnerability Discovered in Pulse Connect Secure VPN

May 25, 2021

Ivanti, the provider of Pulse Secure VPN appliances, has issued a security advisory regarding a critical vulnerability that could enable an authenticated remote attacker to execute arbitrary code with elevated privileges. The issue, described as a “Buffer Overflow in Windows File Resource Profiles” in version 9.X, allows a remote user with permission to access SMB shares to potentially execute arbitrary code as the root user. Notably, as of version 9.1R3, this permission is disabled by default. The vulnerability, classified as CVE-2021-22908, has a CVSS score of 8.5 out of 10 and affects Pulse Connect Secure versions 9.0Rx and 9.1Rx. According to a report from the CERT Coordination Center, the vulnerability arises from the gateway’s capacity to connect to Windows file shares using various CGI endpoints that can be exploited in the attack.

Urgent Security Alert: Critical RCE Flaw Discovered in VMware vCenter Server – Immediate Patching Recommended!

May 26, 2021

VMware has issued patches to fix a severe security vulnerability in vCenter Server that could allow attackers to execute arbitrary code on the server. Identified as CVE-2021-21985 (with a CVSS score of 9.8), this vulnerability arises from insufficient input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in vCenter Server. According to VMware, “An attacker with network access to port 443 could exploit this vulnerability to run commands with unrestricted privileges on the underlying operating system hosting vCenter Server.”

VMware vCenter Server is a management tool for controlling virtual machines, ESXi hosts, and other related components from a centralized interface. The flaw impacts vCenter Server versions 6.5, 6.7, and 7.0, as well as Cloud Foundation versions 3.x and 4.x. VMware has acknowledged Ricter Z from 360 Noah Lab for reporting this critical vulnerability. The patch also addresses an authentication issue…