Instagram Holes Leave Accounts Open to Hijack

Following reports that Instagram holes have left accounts open to hijack, Tod Beardsley, Security Research Manager at Rapid7 commented below.

Tod Beardsley, Security Research Manager at Rapid7:

“The authentication issues found and reported by Arne Swinnen highlight the success of Facebook’s bug bounty program for its Instagram property. Given the combination of easy user enumeration — guessing valid user IDs — and evadable password guessing rate limiting — means that attackers could have hijacked thousands of Instagram accounts for the purpose of spamming and phishing attacks, undetected.

Because Facebook and Swinnen worked together to identify and fix the rate limiting issues, Facebook gets to tell a positive story of better security moving forward. While Swinnen was the first to report, there is no guarantee that the researcher was the only person to discover these issues; Instagram users are encouraged to go above and beyond the minimum password requirements and change their passwords as soon as practical.

The best passwords are as long as the service allows of purely random characters, and saved in a password manager such as Keepass, Onepassword, or Lastpass. While many sites limit password length to 10 or 12 characters, Instagram appears to allow extremely long passwords (over 40 characters), so users can take advantage of this to create passwords which are not guessable even in the face of a rate unlimited attack like the one described by Swinnen.”