Instagram publicly admitted on Aug. 30 that an attacker was able to gain unauthorized access to a small amount of user information. The social networking service noted that it has already fixed the root cause vulnerability that enabled the attack.
“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API,” an Instagram spokesperson wrote in an email to eWEEK.
Instagram added that no account passwords were exposed and the software vulnerability was fixed quickly. An Application Programming Interface (API) provides a mechanism for code to interact with backend software services on a platform. The impact of the API vulnerability attack according to Instagram is limited with only a very small number of user accounts attacked.
“At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue,” Instagram stated. “As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails.”
Security experts contacted by eWEEK were not surprised about the Instagram security incident or that an API flaw was involved.
In many recent breaches, user passwords are somehow obtained by an attacker from unsuspecting end-users to get unauthorized access. Young-Sae Song, Vice President at Arctic Wolf, commented that in this incident it was Instagram’s fault and not the user, and the hack itself should not have been expected from the end user’s perspective.
API’s are controlled and managed by Instagram and are outside of anything a user can influence. Tom Kellermann, CEO of Strategic Cyber Ventures noted that API security is often overlooked.
“The most common mistake is to not regularly assess APIs for vulnerabilities and misconfigurations once live,” Kellermann, told eWEEK. “Oftentimes we forget that rugged coding is a life long journey, not a destination. “
Georgia Weidman, Founder and CTO at mobile penetration testing firm Shevirah also noted that API’s are often not properly considered in security testing, which can lead to exploitable vulnerabilities in an otherwise security conscious application. She emphasized that any way users or even just clients can interact with an app, should undergo penetration testing, or simulated attacks by ethical hackers, as a regular part of the development process.
“A breach like this is likely to be overlooked by many since no passwords were breached,” Weidman told eWEEK. “But especially for high-profile individuals just knowing information like an email address and phone number can give an attacker a good starting point for digging deeper into an online identity.”
While securing APIs is important, it’s not necessarily a simple task to make sure that a given API deployment is in fact secure. Mike Buckbee, security engineer at Varonis commented that APIs are notoriously tricky to secure. He noted that APIs routinely interact with sensitive data, while being used in lots of potentially insecure ways by developers.
“An API developer could easily add a field containing sensitive information to a data set being returned,” Buckbee told eWEEK. “Since the dataset is being pushed out through the API it’s less likely to be noticed.”
Instagram isn’t the only web service that has had trouble this year with an API related vulnerability. Joshua Martin, research analyst at SiteLock noted that WordPress suffered an API hack earlier this year that had similar widespread effect.
“Companies using a public facing API should review and limit the information allowed to pass through the API, and continually monitor and assess security effectiveness.,” Martin told eWEEK. “Companies should also utilize penetration testing, and possibly bug bounties, to test security effectiveness.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.