A security researcher says he has uncovered a vulnerability in the popular photo app Instagram that could let people users don't know add themselves as a friend to an Instagram account, giving them the ability to view photos that users may have thought were marked as private.
Stephen Cobb, ESET North America security evangelist, wrote Wednesday on that company's blog that the hole, dubbed the "Friendship Vulnerability" by Spanish security researcher Sebastián Guerrero, is a "pretty big" one for the program, used by an estimated 50 million iPhone and Android phone owners.
Instagram's fun filters make just about any photo look retro or artsy. Photo-centric Facebook announced in April it planned to buy Instagram for $1 billion.
An English translation of Guerrero's posting on Pastebin, as noted by Cobb, says that:
An attacker can perpetrate a brute force attack in the context of user application and add himself as a friend of all the users on Instagram, being possible in this way to get access to private albums and profile information.
Facebook officials did not respond to msnbc.com's request for comment late Wednesday afternoon. But Wednesday night, Instagram said via its Twitter account it believes the problem is "resolved," and linked to a blog posting which says, in part:
We were recently alerted to a bug in the way our following / followers system works. Due to this bug, in very specific circumstances a following relationship could be created incorrectly.
"We don't have any evidence that this bug was taken advantage of at any other scale than very minimal experiments by a technical researcher," Instagram said in the posting. "The technical researcher was not able to follow private users, nor were private users' data ever at risk."
The "bug" was "resolved and tested for integrity within a couple hours of being alerted to it." Users' data was never at risk, Instagram said, "and at no point were private photos made public."
Updated at 11:45 p.m. ET Wednesday.
Check out Technolog, Gadgetbox, Digital Life and In-Game on Facebook, and on Twitter, follow Suzanne Choney.
First published July 11 2012, 6:25 PM