It took Instagram six months to fix a bug that would have allowed hackers to expose your private pics to the world, Forbes reports.
Christian Lopez, an independent security researcher based in Spain, found a flaw in Instagram’s system that allowed hackers to invisibly change a user’s settings from private to public.
Lopez reported the bug to Facebook’s security team in August 2013, but he told Forbes that the company didn’t completely fix the flaw until February 4, after nearly six months and multiple missteps.
The bug that Lopez discovered would have let malicious parties use a common technique called “cross-site request forgery,” to steal the cookies associated with other sites stored by a users’ browser. To start the stealing process, the user would need to click on a link crafted by the hacker (the link would likely be sent to users through a phishing email). If a user clicked one of these bad links, and had logged into Instagram at any point from their browser, attackers could have changed their privacy settings via Instagram’s open developer tools.
Lopez told Forbes that Facebook partially fixed the problem less than a month after his report, but didn’t completely fix it until February.
Despite Instagram’s long period of vulnerability, an Instagram spokesperson told Forbes that it didn’t see any evidence that any accounts ever got hacked using this bug. However, the example serves as a good reminder that sharing really personal or embarrassing photos on the Internet under the cover of “privacy” might never be such a great idea.
As part of its White Hat Program, Facebook paid Lopez a bug bounty of four figures for exposing the bug.