Social Captain, the social media boosting service, which bills itself as a service to increase user’s Instagram followers, has exposed thousands of Instagram account passwords after storing them in unencrypted plain text.
Social Media Startup Social Captain Exposed Thousands of Instagram Account Passwords Stored in Plaintext, Bug Allowed Access to Any User's Profile https://t.co/H7EnkKdgiy .
— ProtecIT (@Protecit_online) January 31, 2020
Social influence is almost as valuable as real currency these days, and there is no shortage of services which promise to boost individuals social presence and following.
However, social media accounts can be worth a lot, particularly those belonging to influencers, some of who can charge many thousands per post.
Therefore, it\’s vital for companies that provide such services to have security at the forefront of any app they develop to ensure the safety of its users.
From a user perspective, they should take all measures available to secure their social media accounts. This includes turning on failed logon or new login notifications and enabling 2FA.
Most importantly, users should never share their passwords for one platform with another. Even if it is to boost their social presence. A good service would not ask for users password and rather link accounts via OAuth or similar.
There is so much peak \”millennial\” in this story. Unfortunately, social status has become such a talking point of modern life, so much so that users and companies do whatever they can to improve their presence on social media. This also means that security may take a back seat.
This application was certainly not ready to process data from a such a large social media platform when it stores the username and passwords in plaintext, an issue that would be identified using a basic vulnerability scan.
The actual bug is interesting, as it highlights how easily security can wrong when facilitating third party integration. In this case, it was integration with a third party email service. In my experience, this represents one of the toughest areas from a security testing scenario. What\’s exposed, who\’s scope does it fall under, do I have the right to test it?. API\’s and other methods of integration have greatly enhanced the web experience for users, but it\’s time for organisations to realise that security needs to be as important as user experience. API\’s and third party libraries should be mapped out and tested with the same depth and rigour as the application and network that feeds them. A \”Full-stack\” approach needs to be taken.
As always, it will be interesting what action with be taken from GDPR, CCPA in relations to this breach.
It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special — they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that they failed to encrypt users’ passwords by default — and it appears that they continue to store these passwords in the clear. Service providers have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink their approach to security.
While it’s understandable that people might want to boost their Instagram following, this shouldn’t be at the expense of their online security. The fact Social Captain – or indeed any online service – stores login credentials in plain text is of great concern. In this particular case it’s even scarier to think that someone else could view these credentials without even having to log in to the Social Captain site. Anyone who has signed up to Social Captain should change their Instagram passwords.
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows without the need to give unrestricted access via the use of user-credentials. If a site\’s API does not provide sufficient functionality these third-party services should work with the primary application — i.e. Social Captain should have worked with Instagram to have whatever functionality they needed baked into the API-proper vs. bypass these safety measures by requiring user-credentials. Hopefully this will be a learning opportunity for other third-party services who still rely on user-credentials for access and instrumentation to services like Twitter, Instagram, or Facebook.