The advent of social media revolutionized many aspects of our daily life. One such object, whose nature and significance underwent a sea-change after social media platforms became an integral part of our life, is a photograph. We no longer take snapshots only to mark special occasions. Images are clicked whenever the whim strikes, for reasons as trivial as a “good hair day” and are instantly uploaded to social media. Posts, shares, likes, comments, hashtags, selfie-stick have become a way life, so much so that “selfie” was declared as the word of the year 2014.
At this juncture, it is not surprising that an App like “Instagram” whose caption reads “Capturing the moments of the world” has become so popular. An app completely devoted to the purpose of sharing photos and videos was bound to be a hit. The question on many people’s minds was – How to hack someone’s Instagram profile?
Instagram did not leave room for any complaint, within the narrow area of its focus. It provides options for basic edit of images prior to upload. Apart from cropping, sizing or adjusting brightness, contrast, attractive filters are also available. The users have the option of customizing pictures. They can share pictures privately, as well as publicly. It is integrated with other social media platforms such as Facebook and Twitter, enabling users to upload pictures simultaneously on multiple platforms. The simple, comprehensive interface combined with the extremely useful features created magic. 200 million of us are hooked.
The number of celebrities on this platform is considerably high. We get to peek into their lives every now and then, from what they had for their breakfast to where they went for a weekend away. However, glimpses are not enough for some of us. We wish for more. Curiosity drives us crazy to find out which pictures he/she is hiding from the world, choosing to reveal only to a selected few. We long to be on the other side, to assume someone else’s identity for just a day. The question “how to hack someone’s Instagram” plays on our mind pretty often.
As it turns out, it is not very difficult. There is no denying that the features of Instagram are awesome. However, when it comes to security, they have done a lousy job. Incidents of Instagram accounts being hacked take place on a regular basis. Hackers, all across the world have found numerous loopholes within Instagram.
After the Facebook acquisition of Instagram, Instagram was included in the bug-bounty programme of Facebook. In this popular programme, Facebook pays a high sum of money to ethical hackers who can spot a vulnerability on Facebook or any of the Facebook-owned media platforms. Jani, a 10-year-old schoolboy from Finland, not even old enough to join Facebook, according to the rules set by the website, became the youngest recipient $10,000. He spotted a vulnerability in the comments section of Instagram. He introduced a harmful code in the comments section and it crashed, enabling him to delete comments from other users.
Two other bugs were reported by Belgium based IT security consultant Arne Swinnen. One was lack of authentication. He was undergoing the process of verification of an Instagram account, via a code sent to his email. The procedure sounds pretty standard. He spotted the loophole when he inspected the URL of the verification page. It contained the unique user ID assigned to every user by Instagram. He tampered with the ID number. By putting in random numbers, he discovered that for valid ID numbers he was being able to alter the associated email ID. This gave him full access to the account.
Temporarily locked accounts constitute 0.17% of total Instagram users. That may not seem to be a big threat. However, on further manipulation, Swinnen found out that he could also tweak the phone numbers associated with certain Instagram accounts. Through another method of account verification, he was privy to the associated phone numbers of certain account and even had the option of changing it. Once the number was associated with his account, he could opt for password reset via phone. In this manner, it was possible for him to trick Instagram to send an SMS to his number concerning the password reset of someone else’s account. According to his estimate, 1 million users’ accounts are vulnerable in this way. These accounts were just inactive for a couple of weeks. Many of them have a great number of followers, as well. Facebook was very prompt in taking actions. The loopholes were patched within less than 24 hours after it was reported
Swinnen encountered the second security problem while registering for a test account. He found that repeated registration requests made way for some scripting error, which highlighted the credentials oracle. After removing all the parameters apart from “Username” and “Password” he was able to begin hacking the test account. To his surprise, this brute force attack did not alert any account lockout, rate limiting or protection systems. After 1,001 attempts, it was confirmed that the brute force tactics worked to yield the password. This weakness rendered every Instagram account vulnerable, particularly those with short and predictable passwords. He also commented that these would have been quite effective on high profile accounts.
The Instagram authorities took a long time to resolve this issue. Finally, a rate-limiting was introduced at the end point of registration. As an added precaution, Instagram banned the usage of extremely simple passwords such as “123456” or “password”.
In 2015, he employed another method, which involved man-in-the-middle attacks, signature key publishing, and APK de-compilation which enabled him to find 10 bugs in Instagram’s web interface, mobile interface, and infrastructure. This bug bounty amounted to $5000.
Another case of bug report was Wesley Wineberg, then a contract employee, but now a senior security research engineer at Synack. The vulnerabilities he unearthed gave him access to Instagram’s source code, SSL certification, and private keys. His findings, however, have been kept private, as Facebook chief security officer Alex Stamos branded these hacks as “unethical”.