Following reports that Instagram holes have left accounts open to hijack, Tod Beardsley, Security Research Manager at Rapid7 commented below.
Tod Beardsley, Security Research Manager at Rapid7:
“The authentication issues found and reported by Arne Swinnen highlight the success of Facebook’s bug bounty program for its Instagram property. Given the combination of easy user enumeration — guessing valid user IDs — and evadable password guessing rate limiting — means that attackers could have hijacked thousands of Instagram accounts for the purpose of spamming and phishing attacks, undetected.
Because Facebook and Swinnen worked together to identify and fix the rate limiting issues, Facebook gets to tell a positive story of better security moving forward. While Swinnen was the first to report, there is no guarantee that the researcher was the only person to discover these issues; Instagram users are encouraged to go above and beyond the minimum password requirements and change their passwords as soon as practical.
The best passwords are as long as the service allows of purely random characters, and saved in a password manager such as Keepass, Onepassword, or Lastpass. While many sites limit password length to 10 or 12 characters, Instagram appears to allow extremely long passwords (over 40 characters), so users can take advantage of this to create passwords which are not guessable even in the face of a rate unlimited attack like the one described by Swinnen.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…