Instragram’s API flaw reveals celebrity data

To prevent hackers from accessing personal details of high-profile users, Instagram has fixed its application programming interface (API).

The photo-sharing service owned by Facebook noticed a flaw in its API through being exploited by hackers to access user details.

Instagram said in a statement: “A number of celebrities’ phone numbers and email addresses have been accessed by one or more hackers exploiting a flaw in the API.”

According to the company, those affected by the security breach through being account holders have been notified via email.

The company, which has more than 500 million users, declined to comment on how many people were affected by the breach, according to CNN, although it did announce no passwords had been stolen, and urged users to check for any suspicious activity on their accounts.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge, said: “It’s a bit early to make any conclusions about the alleged breach, as the scope of the incident remains unclear. According to the information currently available, no passwords have been compromised, however it’s not yet confirmed. Nonetheless, based on other disclosed facts, this breach looks like an opportunistic rather than a targeted attack.

If the breach will be finally confirmed by Instagram, it will be a good, albeit sad, example of bug bounty failure. None of the people who exploited the vulnerability (for fun or profit) didn’t even bother to report it. In any case, the incident emphasises importance of comprehensive and continuous application security.”

According to security firm Distil Networks, 21% of APIs still go live without any input from security professionals, providing opportunities for cyber attackers.

Rami Essaid, CEO at Distil Networks, said to Computer Weekly: “APIs impact business and the world around us more than most people realise. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organisations to examine their own practices.

“CIOs and CISOs need to get a handle on how responsibility is addressed in their organisations and decide whether the process is sufficiently robust.”

Computer Weekly also noted security professionals have long warned the risks of not ensuring that APIs are secure, as they provide “easy” access to data that enables rich and dynamic user experiences.

Written by Leah Alger