A couple of months ago, we heard of an unsecured database leaking scraped data of 49 million Instagram users. While the data leak happened through an unprotected AWS database, the company owning the database could have actually scraped it due to an Instagram ‘backdoor’ feature. Due to a similar design flaw, Instagram exposes kids’ contact details to around 1 billion users.
Instagram Exposes Kids’ Contact Details
A data scientist, David Stier, has allegedly found a feature that acts more like a ‘backdoor’ to scrape user data. The feature is particularly dangerous as Instagram exposes kids’ contact details as well through it. The exposed information is accessible to the 1 billion Instagram users, making Instagram minors vulnerable.
Recap Of The Actual Problem
In May, Stier highlighted a problem to Facebook that caused Instagram to leak contact information of Instagram users. Precisely, Instagram’s website leaked users’ contact numbers and email addresses through the source code. The information continued to leak even if the main desktop version of the site didn’t include these details.
The feature (or a flaw) also displays contact information of minor accounts if they are set up as a business account. Moreover, it also made it easier for the threat actors to scrape all this data for any potential use or misuse. Perhaps, this speculation proved true when an Indian marketing firm ‘Chtrbox’ exposed the scraped data through their unprotected database.
At that time, Instagram confirmed that the data exposed this way (and eventually scraped) didn’t include any private information. Rather all it included was the publicly available information that the users knowingly upload and share as part of their Business Profile. Stephanie Otway, an Instagram spokesperson, said in a statement,
During the setup process for Business Profiles we display this information, remind people that it will be accessible to others, and allow them to update or remove the information.
Besides, Chtrbox also reiterated in their statement that the data inadvertently exposed for 72 hours did not include any sensitive details.
Here’s the full statement from Chtrbox: pic.twitter.com/cjANb9rwwo
— Laura Hautala (@lhautala) May 21, 2019
Nonetheless, both the statement did not address, clarify, or elaborate on the risk of data scraping.
Instagram Exposes Kids’ Account Details In Plain Text
In a recent blog post, Stier explained that the risk of data scraping expands to include children as well. While he could already see the contact information of many Instagram users under 15 years of age, things seem worse. In fact, Instagram continues to display the contact information of minors on their accounts in plain text in Instagram app. In other words, this indicates that the Instagram app users can see and extract this information without hassle. As stated by Stier,
Instagram revealed to me that the contact information of these minors was already currently displayed in plain sight on their profile page in the Instagram app — meaning that over 1,000,000,000 users could view their profile and extract that person’s phone number or email address.
Instagram’s ‘Partial’ Fix Does Not Resolve The Problem
Upon receiving the bug report from the researcher, Instagram made a partial fix to address the leak. They prevented the exposure of information through HTML. However, they haven’t taken any necessary steps to stop the plain-text display of information on Instagram minor accounts. In a statement to Stier, they said,
After discussing this functionality with the Instagram team, we did take steps to remove the contact information from the HTML of the page, since it was not necessary to include in its current form. However, this information is still accessible to Instagram users via the Contact button [within the Instagram app].
Thus, the problem of information leak continues to exist. Stier explained further that anyone clicking on the “Email” option appearing on an account can easily see the user’s email address on the upcoming page on the screen.
In addition, the ease of changing his/her profile to a ‘Business profile’ (without requiring to actually have a business) has made all minors vulnerable to potential threats associated with data scraping. The researcher could actually see some kids’ profiles changed into Business profiles.
For now, there seems no inclusive fix to address this issue. So, the entire burden of responsibility now lies on the shoulders of the parents to teach their children how to use their Instagram accounts safely but do you think that Instagram should be held responsible and have more measures in place to protect them?
Let us know your thoughts in the comments.