It has been revealed that Instagram’s lax privacy practices let trusted partner Hyp3r track millions of users’ physical locations, secretly save their stories, and flout its rules. Hyp3r used four key tools to scrape data from Instagram users. First, it utilized an Instagram security hole that allowed it to “zero in on specific locations” and collect all the posts made from those locations. Second, Hyp3r “systematically saved users’ public Instagram stories,” again utilizing that location data. Third, it “scraped public user profiles on a broad basis, collecting information like user bios and followers, which it then combined with the other location information.” Lastly, Hyp3r used image recognition software on user posts to analyze that the images included.
Full Story Here: https://9to5mac.com/
2019/08/07/instagram-ad- partner-hyp3r/
There are several things on the table here, and they are not really cyber security related. Firstly, there is the ethical side to the scraping of data from Instagram. Remember, this was perfectly allowed by Instagram until Facebook (the owner) fell afoul of the Cambridge fiasco. Instagram has changed its rules, but is that enough? The data was still being collected because Instagram did not understand, track or otherwise care about the 3rd parties using the API into their data. Where is the duty of care to its consumers? I doubt any Instagram user was aware or would be willing to allow their locations and other personal information to be tracked by an outside party.
Secondly, there is the implication of GDPR. EU citizens’ data can only be used for the purpose of which permission has been granted, nothing more. Now, there may be a check box hidden away that grants Instagram to use the data for other purposes, but is that opting in or out? Tracking citizens activities and locations and using that data to advertise is one thing, but what happens when that third party is hacked or the data is otherwise abused… Who is liable for the fines? I suspect Instagram and therefore Facebook need to be a lot clearer and more careful on what their third-party partners are doing with their data.
And lastly there is the configuration issues. Lax security around access in one of the most commonly used backdoors to allow hackers in. In this case it was a trusted 3rd party, but the net result is the same. Instagram didn’t do the right things, they didn’t lock the doors and they certainly weren’t checking either. This data has been possibly leaking for over a year. Any third-party access to sensitive data should be tracked and monitored. Any accounts and passwords used should be locked away and only requested when needed. These actions tend to stop the configuration issues dead in their tracks but this is not to say that configs shouldn’t be routinely checked. Especially after a policy change, in the case of Instagram.
This could be a violation of GDPR if there is EU citizens data being collected using the app. Harvesting of EU citizens’ data without permission is a violation of the directive, and we are starting to see organisations being fined significant amounts of money for ignoring privacy rights and not making the necessary steps to protect their users’ personal information.
People also need to understand that if an app is free to use, the product is the user. The majority of social media apps and networks leverage individuals’ data as a commodity, that’s their business model, we should not forget that. Hyp3r’s scraping of data is unethical and probably illegal, but Instagram should be held accountable for allowing such a loophole to exist in the first place.
Whilst a new attack vector is an interesting warning to all organisations – and an illustration of the ingenuity of man – for many organisations this is just another issue they need to worry about. Attacks like these are particularly concerning as they are so difficult to detect and can prove to be detrimental if executed successfully. These attacks are certainly viable as they require low powered devices that can be activated remotely, meaning they can withstand transit for many days without losing power. Organisations should be extra vigilant when accepting packages and refrain from leaving empty boxes within the confines of the business.
This attack method isn’t new and has been leveraged by pen testers for many years, and not just warshipping but also ‘leave behind.’ It’s a reminder of the risks rogue assets and other unexpected devices on the network poses.
\”Having robust authentication methods on WiFi connections as well as an effective network access control solution will mitigate attack methods like warshipping, but It’s critical that organisations reduce their time to discover all new devices that appear on the network, categorise and assess them for vulnerabilities, and remove any that deviate from security policies.
Even if scraping publicly available data seems unlikely to be illegal under US law, there is still a risk that people are losing trust. Any organization processing consumer data should be very careful when sharing that data with third parties or making it publicly available. Sensitive data, even data sets that don’t seem to be identifiable information at first sight, always needs to be protected.
There is not only the risk of a breach. Data might also be stitched together and/or used in an inappropriate way by simply allowing third parties to access it – due to misconfiguration or lax oversight. While large Tech-firms seem to have an easier job when it comes to customer loyalty – other companies might lose valuable customers and therefore market share.