In April, with the GDPR deadline and its requirement for data portability looming, Instagram released the long-anticipated download your data tool. The feature gave users the ability to download images, posts and comments.
Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said.
As The Information reported last week, Instagram told affected users on Thursday night that if they’d used the “download your data” feature, their passwords may have shown up in plaintext in the URL of their browsers.
It seems that the problem occurred if users hit “enter” after typing their password instead of hitting the “submit” button.
That might not be a big deal to a user at home on an unshared computer, but as Facebook, which owns Instagram, said in the notice to users, it means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around, or anyone with access to their browser history.
HTTPS would have ensured that the URLs were encrypted in transit, and invisible to anyone snooping on-the-wire, but the biggest concern is what happened when the “download your data” request arrived at its destination, Instagram.
Passwords are closely guarded secrets and URLs are not, and so companies handle them very differently. Passwords are typically transformed into salted hashes before being stored, so that nobody – not even admins – can see them, while URLs are routinely logged in databases or log files precisely so that administrators can see them.
It’s a bit like treating something that’s supposed to be marked “Top Secret” as merely “Restricted”.
The Information quoted an Instagram spokesperson who said that the issue was…
…discovered internally and affected a very small number of people.
Facebook didn’t say whether anybody’s Instagram account was compromised because of the error, and Naked Security has learned that Instagram is indeed in the process of deleting any passwords that may have been incidentally logged by its systems.
We’ve already seen bigger, recent problems
Bigger problems, indeed. We don’t know what Facebook/Instagram’s definition of “small” is when it comes to this breach, but we do know that security practices led to a massive breach at Facebook in September, with what would eventually turn out to be around 30 million accounts affected and another 40 million reset as a “precautionary step.”
Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app. At least in the early days following the attack, Facebook said it looked like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.
Update 2018-11-21
Since publishing the article Naked Security has learned new information about the incident. We have updated the story to reflect the fact that passwords may have been written and stored in plain text log files, rather than being stored in plain text as a matter of course.
Max
I think the fact that they store passwords in plaintext is big problem enough. If it was up to me any company that still does that in 2018 should get sued into oblivion and/or have their service shut down. That almost isn’t just negligent anymore, that could be seen as malicously incompetent. And on a scale like Instagram/Facebook as well. If I had an account I certainly would delete it.
Anonymous
They are only storing the passwords in plaintext because they are being leaked into logs. Logs generally contain the full URL so they’d pick up the password. POST requests the content is in the message body so nothing in the URL
It is still very likely they’re hashing passwords
r22k
why would you have plaintext password in logs? in this day and age after a user hits submit it should be encrypted and forgotten. The only reason would be if you were implementing some novel encryption scheme and you wouldn’t do it on your live public app
Mark Stockley
Correct, Instagram is still hashing passwords.
KF
If they don’t store passwords in plaintext, how else are they going to sell your passwords to third-parties?
r22k
It is really unacceptable and mind blowing that developers still put users at risk because of their own laziness. In my experience passwords are left unencrypted for developer convenience. It allows for easier *smoother* debugging but any developer worth a penny can implement 1 routine too verify pass they just again are lazy :'(
Anonymous
Everybody should love the fact that the so-called Cyber-Security experts love to transform minimal impact issues in the biggest catastrophe of the world then blame developers.
Of course if some construction people put up the biggest building in the world, they should acumulate gardner responsabilites and keep watering the tiny garden in front.
If they don’t do it, its a crime because all world will look at the dry garden and die.
Furstration is such a big think, that can only be compared to human stupidity.
Anonymous
How do you infer from passwords in the URL mean that they are storing passwords in clear text in the database? The submission method does not define the storage method. It’s possible is equally as possible that they are storing passwords in clear text as they are hashing the passwords.
Mark Stockley
That inference was a mistake – I have updated the article.
ethanblake
This article is ridiculous and stupid. They’re not storing passwords in plaintext, and even if they were this wouldn’t be an indicator of it. The fact that the password was in the URL just means that the page submission was a GET request- novice mistake for sure, but not a critical security failure.
Mark Stockley
You’re correct, the bug does not infer that Instagram were storing passwords in plain text. I’ve updated the article.
Steve
Thumbs down, not because you’re wrong, but because of your opening line.