Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said.
As The Information reported last week, Instagram told affected users on Thursday night that if they’d used the “download your data” feature, their passwords were showing up in plaintext in the URL of their browsers.
That might not be a big deal to a user at home on an unshared computer, but as Facebook, which owns Instagram, said in the notice to users, it means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around.
It also means that Instagram passwords were stored on Facebook servers, the user notice said, and that means in plaintext, not encrypted.
Facebook didn’t say whether anybody’s Instagram account was compromised because of the error. The Information quoted an Instagram spokesperson who said that the issue was…
…discovered internally and affected a very small number of people.
Sophos’s own Chester Wisniewski, principal research scientist, told The Information that this never would have happened if Instagram was doing encryption right. For the Facebook-owned Instagram to be able to trip up and post plaintext passwords in URLs, that means that somewhere inside of Instagram, users’ passwords are bouncing around in plain text. That’s not good as far as industry best practices go, Chester says:
This is very concerning for other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that.
We’ve already seen bigger, recent problems
Bigger problems, indeed. We don’t know what Facebook/Instagram’s definition of “small” is when it comes to this breach, but we do know that security practices led to a massive breach at Facebook in September, with what would eventually turn out to be around 30 million accounts affected and another 40 million reset as a “precautionary step.”
Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app. At least in the early days following the attack, Facebook said it looked like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.