O Instagram notificou alguns de dos utilizadores da plataforma de que as suas palavras-passe poderiam ter sido expostas devido a uma falha de segurança.
De acordo com um porta-voz da empresa, o bug foi “descoberto internamente e afetou um número muito pequeno de pessoas”.
A notícia foi comunicada pela primeira vez pela The Information, o problema afeta a ferramenta “Download Your Data”, implementada em abril pelo Instagram, para permitir que os utilizadores soubessem quais dados pessoais o website guarda sobre si — e também para estar compliant com as novas normas impostas pelo RGPD.
“The security flaw was tied, ironically, to a tool Instagram introduced in April to let users see how much of their personal data the site had collected. “Download Your Data” lets users download all the data that Instagram has on them, both to comply with new European data-privacy regulations and to satisfy increasingly privacy-sensitive users around the world.” states a blog post published on The Information.
A empresa informou os utilizadores que, se tivessem usado a ferramenta “Download your Data”, as palavras-passe foram acidentalmente expostas porque foram incluídas no URL.
“if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.” an Instagram spokesperson told The Verge.
Especialistas temem que a empresa esteja a guardar as palavras-passe em plain-text, mas um porta-voz da empresa minimizou a questão, dizendo que a empresa armazena apenas representações de palavras-passe.
“If Instagram were storing passwords with the right encryption technology, this type of flaw shouldn’t be possible, according to Chet Wisniewski, principal research scientist at security firm Sophos.” continues The Information.
“He said the only way it could show up in the URL is if the password were stored somewhere inside of Instagram in plain text, which isn’t recommended in the security industry.”
“This is very concerning about other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that,” he said.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.