According to a report on The Information Instagram has experienced a pretty major security bug which allowed user passwords to be displayed in plain text. The issue arose, ironically, over the feature which allows users to see exactly what personal data Instagram has collected about them. Yes, the “Download your data” feature could potentially let anybody download your data, if you access the feature on a public computer, thanks to the bug.
The Download your Data feature was introduced last April in order to comply with new European data privacy regulations (the GDPR) as well as to keep users around the world, who are becoming more and more security & privacy conscious since the Facebook revelations over the last couple of years.
The confirmation from Instagram that you have requested to download your personal data.
The Download your Data feature, as the name suggests, allows you to download all the information Instagram has on you. Essentially, you submit your request, and all your data is packaged up and a link is emailed to you. The problem was, after submitting the firm, your password was then shown in plain text in the URL of the next page after you submit. This means that if you used the feature on a public computer or if anybody had access to your personal computer after you made the request, they would be able to pull up the history and see your Instagram password right there.
As the headline on The Information says, this “raises security questions”. The biggest of which is “What the hell is anybody doing storing plain text passwords these days?!!?”. Such an incident should never be allowed to occur in the first place.
Most websites on the Internet today use some form of one-way encryption. When you create your password, it is “salted” (it has some other kind of data attached to the beginning and/or end of it) then it is encrypted using one-way encryption that can’t be decrypted. This encrypted code is then stored in the database. When you come back to visit the website and enter your password in the future, it, too, is salted, encrypted and then compared to the encrypted string in the database.
Your plain text password is never stored, anywhere. This is why most websites today are unable to just send you your password and just send you a new one. It’s why tech support places can’t see your password and why companies say you should never give it out to anybody, even them.
If Facebook is using plain text passwords on any part of its platform or services then that is a huge security issue.
Facebook sent out a message to some Instagram users informing them of the issue and they have since changed the way the Download Your Data tool works to eliminate the bug, but Instagram users have been told to update their passwords and clear their browsing history.
They haven’t said how many users this potentially affects, but the bug was initially reported on in November 2018. While this is an older bug, if you’ve used the Download Your Data feature at all since it was introduced last April, I’d probably follow that advice if I were you. And it serves as a reminder to constantly be aware of security issues and not use the same password on multiple sites.
[via DPReview]
